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MARKOV is brought to you by Risknowlogy to make probabilitist calcualtions easy. 
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» Numerical and graphical results 
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Objective 


» The objective of this review course is to train the attendants in the fundamental 
principles of functional safety concerning safety-instrumented systems and to get 
their competency in the functional safety standards certified by TUV 
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Welcome 


* In this module 
» Introduction 
» TUV Functional Safety Certification Program 


> Course overview 
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Introduction 
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* Nice to meet you... 


» Who are you? 


, 


, 


» 


Your name 

Company 

Position 

Professional background 


Why are you interested in 
Functional Safety? 


» Who are we? 
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During the Training... 


» Please consider the following 
* In case of an emergency the exits are... 
+ Feel free to answer your mobile phone but turn it to silent 


* Feel free to ask questions at any time ——— 
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The Next Four Days 


» Duration 

» 3 day course 

* Exam on the fourth day 
^ Working day 

» 9:00 — 16:30 

* 1 hour lunch at 12:00 

* Breaks at any time we want 
' Exam 


» Duration: 4 hours 


Functional Safety Certification Program 


» What is the program about? 


» The goal of the TÜV Functional Safety Certification (FSC) program is to 
establish around the world a group of functional safety professionals and experts 
with a common set of knowledge about functional safety according to important 
functional safety standards like IEC 61508, IEC 61511, IEC 62061 and so on. 
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The FSC Program Offers.. 


> Certification in the 
» Safety related systems for all systems 
» Automotive industry 
* Machinery industry 
» Process industry 
' Railway industry 
* Courses for 
» Developers of hardware and software for safety devices 


* Users and integrators of safety devices 
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Qualifications 


» Two qualifications exist 
* Functional Safety Professional - FSP 
* Functional Safety Expert - FSE 

' Training is conducted by an FSE 
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Functional Safety Professional 


» Requirements 
* 6 years of professional experience 
* Appropriate education gives you experience credit 
» Bachelor 2 years 
» Masters 3 years 
+ PhD 4 years 


> Two references 
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Course Overview 


' Course 
* Modular with units 
» Exercises and examples 
' Discussions 
' Exam 
> Closed book exam 
> 60 multiple choice questions 
' 25 open questions 


» Passing criteria: Limit 75% score 
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Contents 


* Module: 
» Introduction to functional safety 
» The basics of functional safety 
» Hazard & risk analysis 
Planning the safety instrumented systems 
' Hardware design 
Software design 
» Certification, Proven In Use, Data 
» Using the safety instrumented systems 


> Conclusions 
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Introduction to Functional Safety 
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Introduction to Functional Safety 


' In this module 
» Accidents in the news 
> What is functional safety? 
* History functional safety 
* Overview laws & standards 
» Application area 
* Layers of protection 
» Safety instrumented system 
> Overview IEC 61508 / IEC 61511 
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Accidents in the News 


» Well known accidents 
> Flixborough, UK, 1974 
> Seveso, Italy, 1976 
Bhopal, India, 1984 erne in Vadum bonos ra lun Fand 


* Piper Alpha, North Sea, 1988 Æ ud puto Yous 
» Recent accidents 


5-8 Ve oed 


» Toulouse, France , 2001 September 21 
» Geleen, The Netherlands, 2003 April 1 
Texas City, TX, USA, 2005 March 23 
Jilin City, China, 2005 November 13 
Buncefield, United Kingdom, 2005 December 11 
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Toulouse 


» Fact Sheet 
* Location: Toulouse, France 
* Date: 2001 September 21st 
» Problem: Explosion in a fertilizer plant equivalent to 20-40 tons TNT 
* Direct result: 
* 31 people were reported dead 
» 2,442 total number of injuries 
» 140 vehicles damaged on the road 


» 100 buses damaged on parking 
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Toulouse 
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~ 140 vehicles damaged 
me ——~ onthe road 


] 100 busses damaged 
X on a parking 


Building destroyed 
4 Building damaged |, 
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Toulouse 


a * 
Figure 2 : View of the crater caused by the explosion 
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Geleen — April 2003 


» Fact Sheet 
* Location: Geleen, The Netherlands 
* Date: 2003 April 1st 
» Problem: 
> Several attempts had been made to start the furnace after maintenance 
> Operators in the control room let gas and air flow into the furnace 


Explosion occurred because the furnace was still hot from previous startup 
attempts 


» Work instructions and procedures not followed during maintenance 


» No safety was built in during maintenance activities, safety completely 
depended on the operators during startup 
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Geleen — April 2003 


» Fact Sheet 
' Direct result: 
» 3 people killed 
» Indirect result: 
» DSM Melamine B.V. convicted 
» 75.000 Euro fine because they were responsible for the deaths 
» 25.000 Euro fine because they violated the law 


» Lawyer complained because the fine was in no relation to the profits made by 
DSM 


* Corporate damage: "Several 10 of millions of Euros" according to Lex Litjens 
(Director DSM Corporate Risk & Insurance) 
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Geleen — April 2003 


Roof of the 
furnace, or 
what is 
leftover of it 
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Texas City — Refinery Explosion 


> Data 

» Location: Texas City, TX, USA 

» Problem: Several equipment failures, procedural failures 

' Direct results: 
* Probable cause was a failure in the rafinate splitter column 
» At least 5 explosions occurred 
» 15 killed, over 170 injuries 

Buildings and cars destroyed 


Residence shook up 5 miles from accident scene 
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Texas City — Refinery Explosion 


* Indirect results: 
... * About 300 alleged violations were found in their safety rules J 
» $ 21.3 Million Fine was paid to OSHA 
» $ 700 Million was reserved to compensate the victims 
+ >3 Billion USD set aside for development over 5 years at US BP plants 
' Between the lines 


* Over 100 incidents had been reported by BP over 6 years to the National 
Response Center (NRC) 
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Texas City — Refinery Explosion 


Karen Warren / Chronicle 
An aerial view of BP's Texas City refinery shows the 
flattened unit that exploded, seen in the foreground. 
The blast ripped a hole in a chemical storage tank 300 
yards away, above center. The hole allowed benzene to 
evaporate into the air. 


RISKNOWLOGY" 


Copyright® 2002 - 2011 Risk nowdog 6. AB itis renarved 


Texas City — Refinery Explosion 
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Jilin City — River Spill After Explosion 


» Data 
+ Location: Jilin City, China 
* Date: 2005 November 13 


+ Problem: High levels of Benzene and Nitrobenzene spilled into river after 
explosion 


Direct results: 6 people killed 
Indirect results: 
* 80 km stretch of contaminated water 
» 40 hours to move through 
» But it was winter and the water was freezing 


» 6000+ people evacuated 
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Jilin City — River Spill After Explosion 


DD 


COIEDVSES TS eim ia 
i Nici massive explosion 


at the PetroChina 

benzene factory in 
the city of Jilin on 

13 November 


hina Foto Press 
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Polluted Water 


Tests have shown concentrations of the carcinogenic chemical some 
30 times higher than is considered to be safe 
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People Queuing 


People in Harbin, 
north-eastern China, 
queue for water after 

the city's own supplies 
were contaminated by 
the benzene leak 
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Buncefield - Oil Depot 


* Data 
» Location: Buncefield, United Kingdom 


» Problem: Overfilling tank due to equipment failure, leading to vapor cloud which 
got ignited 


' Direct results: 
* Explosion lead to a large fire which took 5 days 
* 23 storage tanks caught fire 
* 43 people injured 
* 2000 people evacuated 


Estimated economic impact 1 Billion British Pound 
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Buncefield - Oil Depot 
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Safety Expensive? 


* Why should we invest in safety? 
» You think safety is expensive, try an accident... 


* Today an accident cost more than 10x the investment in the process 


* We have had terrible accidents in the past 
* We learned, but accidents with serious impact still happen today 


» Training is one way to help people become more aware and knowledgeable about 
safety 
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What is Safety? 


‘ISO/IEC guide 51 defines safety as 


' Freedom from unacceptable risk 
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Legal Status IEC 61511 


+ Standards are never legally binding, merely they are used for guidance, but ... 


' Since its release (2003) IEC 61511 is considered State-of-the-Art or Good 
Engineering Practice 


..,' State-of-the-Art means IEC 61511 is 
> Technically feasible and applicable 
* Organizationally possible to plan 
» Economically feasible 
* State-of-the-Art is a legal term in Europe and is the only thing court looks at 


' This makes it almost impossible not to comply to IEC 61511 when it comes to safety 
instrumented systems 
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Overview Laws 


' In Europe many Directives (Laws) exist for example: 
* Medical Directive 
» Lift Directive 


Seveso II Directive 


Machinery Directive 


* ATEX Directive 
` PED Directive  PY#SuBe ea POW 


» In the USA 
' EPA: risk management program - 40 CFR part 68 


» OSHA: process safety management - OSHA §1910.119 
ou p. us Ui EA LA 


Cy 10 Pathe 
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Overview Laws 


* How about in your country? 
* Do you have local occupational safety and health laws? 
* Do you have national standards that you need to apply? 


^ How does IEC 61511 fit into these laws? 
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Safety Integrity Level - SIL 


' SIL is how we measure the performance of safety functions carried out by safety 
instrumented systems 


» SIL has 3 sides to the story 


» Process owners: 
Which safety functions do | need and how much SIL do | need? D « o i4M 


Engineering companies, system integrators, product developers: 
How do | build SIL compliant safety devices, functions or systems? 


* Process operators: 


How do | operate, maintain and repair safety functions and systems to maintain 
the identified SIL levels? 
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Safety Integrity Level - SIL 


» There are 4 SIL levels in IEC 61511 and IEC 61508 
» SIL 1, 2, 3 and 4 
' Important SIL properties 


sAty 
* Applies to the complete safety function / loop every cle «x tAgbop shuld apy 


» There are technical and non-technical requirements defined per SIL level 


» Higher SIL means 
* Stricter requirements 


* The safety function fails less and is thus more available 
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Safety Integrity Level - SIL 


* Most famous SIL requirements is the Probability of Failure on Demand 


) 
pita T Gs nat do TA " 
PFDavg Safety Availability; Risk Reduction pm 
ERA 
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Problems With Safety Instrumented Systems 


a mm 65 = 1000001 
Í \ NU ==) 97 = 1100001 
N j 1 Bit Failure! 
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Safety Instrumented Systems States 


* A safety instrumented system can be in 4 different states 


Ok: no internal failures 


Safe: the safety instrumented systems fails in a way that the safety function is 


S «s f^ 
carried out without a demand 


"aes Tr. 0 
Dangerous: the safety instrumented systems fails in a way that the safety 
function cannot be carried out in case of a demand 


Intermediate: safety function can still be carried out despite one or more internal 
safety instrumented systems failures 
Toler Ae» Time T vafe 


RISKNOWLOGY* 


Cony C 20-2081 Nk Al ag rna 


SIS Versus Process 


SIS 
States 


Process is available 


Process to be protected 


Safe Process has tripped 


$ i PED EM Yow ad 
Dangerous Process is available but not protected © fee ani 
here 
i Process is available, SIS is available, 
Intermediate ARR Nr 
but it is time to repair it 
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Safety Instrumented System Failures 


» Safety instrumented systems can fail because of... 
* Random hardware failures 
» Common cause hardware failures 
» Systematic failures 
» Any of these failures puts the safety instrumented system into a specific system state 
' Safe 
» Dangerous 


» Intermediate 
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Random Hardware Failures 


' Definition 
+ A spontaneous failure of a hardware component at any given time 
» Permanent — exist until repaired 
» Dynamic — exists only under certain circumstances 
» IEC 61508 approach 
» Measures to control failures 


' Hardware qualitative and quantitative (PFDavg, PFH) reliability study 
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Measures To Control Failures 


Technique / Measure SIL3  SILA 
Measures against voltage breakdown, voltage variations, overvoltage, 
low voltage and other phenomena such as a.c. power supply frequency 
variation that can lead to dangerous failure 
s f ines from inf. mm 
ncrease of interference immunity. 


Measures against the physical environment (for example, temperature, 


humidity, water, vibration, dust, corrosive substances). 

p (E 

Measures against temperature increase 
'atial separation of multiple lines 

Idle current principle (where continuous contro! is not needed to 

achieve or maintain a safe state of the EUC) 


iverse hardware 
i Tables A.2 and C.2 of IEC 61508-3 
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Random Hardware Failure Example 
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Common Cause Hardware Failures 


+ Definition: "T Pe 
Q^ IL 


' Failures which result from events causing simultaneous or coincident failures of 
two or more separate channels in a multiple channel system leading to system 
failure 


* These events are related to the environment (heat, EMC, flooding, ...) 
+ IEC 61508 approach 
» Diversity as a measure to control failures 


' Take into account during quantitative reliability analysis (PFDavg, PFH) 


wy 
me Wee b On (Joe hath Ys. 


iA agi 
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Common Cause Does Not Happen? 


Complete plant flooded 
because of heavy rainfall, 
bad drainage and dike 
failure 
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Systematic Failures 


+ Definition ia LET 
* A hidden fault in design or implementation Qs 
> Software as well as hardware 
' Design specifications 
» User manuals 
* Procedures, etc 
» Can occur in any lifecycle phase 
* IEC 61508 approach 
» Measures to avoid failures AA 


* NOTE: not included in the quantitative reliability analysis (PFDavg, PFH) 
bt Fondom h Gimer vee chal ie felia bility oa ASG 
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Measures To Avoid Failures 


Technique / Measure SIL 1 SIL 2 SIL 3 


Project management 


Documentation 


Separation of E/E/PE system safety functions 
from non-safety functions 


Structured specification 


Inspection of the specification 


Semi-formal methods 


Checklists 


Computer aided specification tools 


Formal methods 
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When Do Failures Occur? 


Analysis OF 34 Incidents, based on 56 causes identified 


@ Specification 

@ Changes after commissioning 
@ Operations and maintenance 
Q Installations and commissioning 
@ Design and implementation 


= 


Out of control: Why control systems go wrong and how to prevent failure? Health & Safety 
(2™ edition, source: © Health & Safety Executive HSE — UK) Executive 
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One Final Note 


» Common cause versus systematic failures 
* When a common cause event takes place all same devices fail at the same time 
» When a systematic failure exists all same devices fail at the same time beet Fig 


» In other words, the effect of a common cause or systematic failure is the same on 
safety function level, i.e., the safety function fails 


* We make a difference between common cause and systematic failures because 
we need to take away the cause in a different way 


* Common cause: Solution could be diversity - measures to control failures 


» Systematic: Solution could be changing procedures or more testing, etc - measure to 
avoid failures 


» So we deal with the same problem (losing the safety function) in a different way 
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Or Maybe We Do .... 
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What Is Functional Safety? 


' A safety instrumented system is 100% functionally safe if 


* All random, common cause and systematic failures do not lead to 
malfunctioning of the safety system and do not result in 


> Injury or death of humans 
» Spills to the environment 
r Loss of equipment or production 


* 100% functional safety does not exist but SIL 1, 2, 3 or 4 does 


"m ses Ld e Qr hide, "Ces 
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History Functional Safety 


1970 2004 2005 2011 
First TUV certified IEC 62061 EN 50402 ISO 26262 
safety system released released released 


DIN 19250 & 
Oil pipeline DIN V VDE 0801 2nd Edition 
Germany and Italy ;ciden! Released IEC 61508 


—_ A 


TÜV Book Development of First release 
"Microcomputers in IEC 61508 IEC 61508 
safety techniques” started 


2005 2011 
IEC 61511 BP Texas Fukushima 
released accident accident 
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Functional Safety Standards 


+ For safety instrumented systems there are two important standards when it comes to 
functional safety: 


» IEC 61508 - Functional safety of electrical / electronic / programmable electronic 
safety-related systems 


» IEC 61511 == ANSI/ISA 84.00.01 - Functional safety: safety instrumented 
systems for the process industry sector 


- Eas Der o Cty MULA 
eu ub Techs 
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Overview IEC 61508 


' Part 1: General requirementsPart 
2: Requirements for Electrical, 
Electronic, Programmable 
Electronic Systems (E/E/PES)Part 
3: Software requirementsPart 4: 
Definitions and abbreviationsPart 
5: Examples of methods for the 
determination of safety integrity 
levels (SIL)Part 6: Guidelines on the 
application of Parts 2 & 3Part 7: 
Overview of techniques and 
measures 


Vy Baa dy | 
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IEC 61508-1 


Eaeon 20 201004 


INTERNATIONAL 
STANDARD 


NORME 
INTERNATIONALE 


BASIC SAFETY PUBLICATION 
PUBLICATION FOMDAMENTALE DE SÉCURITÉ. 


Functional safety of sectie abek wosic/programmabie six toni safety-telaled 
Peri 1: Ganoral requinments 
Sécurhb fonctionnelle des nystécnos électriqueaitiect oniquesitlectroniques 


programenabias reietifa à la mécuril - 
Partie 1: Exlgencea générales. 
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IEC 81784-3 
Profiles for safe 


communicátion Gas Detectlon 


IEC TS 61000-1-2 
IEC 61800-5-2 
EMC for functlonal Power Drives 


safety 


IEC 61326-3-x 
Immunity for 
functional safely 
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Application Area IEC 61508 


» IEC 61508 applies: 


* To any electrical / electronic / programmable electronic (E/E/PE) safety related 
systems | fecic Teewnola Paavaffes pec industry 


* Especially where no functional safety standard exists 


» Anywhere in the world where it is accepted 


443 
» 


«c € 
X ^ 
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Application Area IEC 61508 


» Typical applications are 
* Programmable electronic system (PES) 
Safety instrumented systems (SIS) 
Emergency shutdown systems (ESD) 
High integrity pressure protection systems (HIPPS) 
Burner management systems (BMS) 
Fire & gas system (F&G) 
High speed over protection system 
Emergency brake of a train 


Any other names? 
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Overview IEC 61511 


INTERNATIONAL IEG * Part 1: Framework, definitions, system, 
STANDARD 5 hardware and software requirements 
BTANDARD EC)... 7 
TANDARD ^ » Part 2: Guideline for the applications of IEC 


INTERNATIONAL = 
STANDARD in 61511-1 


» Part 3: Guidance for the determination of 
the required safety integrity levels 
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Application Area IEC 61511 


+ IEC 61511 applies to safety instrumented systems 
> Instruments (E/E/PE or not) 
* Logic solver (E/E/PE or not) 
* Actuators (E/E/PE or no) - 


—— 


Pheu meno 
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IEC 61508 Versus IEC 61511 


Process Sector 
Safety Instrumented 
System 
Standards 


Safety instrumented 
system designers, 
integrators and user 


Manufacturers and 
suppliers of devices 


IE C BiabP IEC 61511 
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Exercise # 01 


' See exercises printout 
» Which failure categories exist 


> Classify failures 
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Summary Module 1 


» What we learned... 
* We now know what functional safety is 
+ Where it is coming from 
» What layers of protection are 77o PowNri P nl mitt ot AE e 
+ What SIL is all about 9 degre Cypro, sos Wen VA ei see cul 
+ What are the practical problems with safety instrumented systemss UE 


* And we got to know the two most important functional safety standards in our 
industry 


É Teks nom Tech. ty whale Loaf 
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The Basics of Functional Safety 
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The Basics of Functional Safety 


' In this module 
» Functional safety management 
» Lifecycle concept 
» Documentation 
Implementation and monitoring 
Verification, validation, assessment and audits 
Modifications 


Competency 
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Why Manage Safety? 


What Went Wrong? 


» So why do we actually want to manage 
safety? 


* Safety should be the only outcome of a 
project 


» Safety should not be a lucky shot 


» Safety should be traceable and 
repeatable 
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Functional Safety Management 


» Objectives are twofold 


+ Define all technical and management activities during the lifecycle of the safety 
instrumented systems 


' Specify responsibilities or activities for 
' Persons 
* Departments 


* Organizations 
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Verification 


g 
o 
E 
E 
8| [c 
s| |g 
=| |8 
=| |5 
$| JE 
3| | 3 
8| ja 
2 
5 
c 
- 
u 


Functional Safety Assessment 


Carras ©2008 RN Feet g HAY rgan iarrt 


fe 3 
, ea 
iM Cae Phase oy do E Tuh e Oca Phare. 
ob ^t je Le nA Ph ale Ves ur n Ca 6 od Toy uU E Chas 5 


37 


IEC 61511 Lifecycle Concept 


Operation and Maintenance 


Functional Safety Management and Assessment 
Lifecycle Structure and Planning 
Verification 


Decommissioning 
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Lifecycle Concept 


' A lifecycle helps us in a systematic way to 
» Identify activities that need to be carried out 
» Identify required expertise/competencies per phase 
Identify the documentation requirements to carry out the activities 
Deal with fespans Put for d activities 
» Deal with FSM, V&V, assessment and audit activities 
» In practice different lifecycles are used by different stakeholders 
* End-users, integrators, developers, hardware, software ... 


' In practice somebody needs to manage this... 
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Lifecycle & Frequency of Failures 


2. Overal! Scope 
Definition 


3. Hazard and Alek 
Analysis 


requirements allocation 
e uu 
TET vetrina iaa 
Wes YXomd|- Kong specification 11 Other re @ Changes after commissioning 
" 
measures 


[3 
Sfomtonance’ | veltiaton | commissioning gu @ Operations and maintenance 
[e jar : : - 
= = @ Installations and commissioning 


BI gr @ Design and implementation 
Validation. 
Maintenance, Repair nd Retrofit 
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Documentation 


» Why should safety be documented? 


» We work in lifecycle phases, we need to pass on information to different 
engineering disciplines 


» Documentation needs to exist for the purpose of 
» Carrying out the work 
' Verifying the work 
» Assessing the work 


» Auditing the work 
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Documentation 


» Documentation should 
» Be accurate 
— 
» Be easy to understand 


* Suit the purpose for which it is intended 


ý y "ON 
» Be available, accessible, maintainable = «o meffle t end d ses Niny 


6s T be 


* Documentation should be formally controlled 3S vag] 
' Title, author, date, revision index 
» Reviews and approval 
' Traceability to requirements 


* Ete 
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Typical Documentation 


Phase Information 


All phases Planning documents: e.g., safety plan, verification plan 
i k P&ID's, PFD, Material Data Sheets, Equipment Information, 
Hazard and risk analysis HAZOP, FMEA, FTA, LOPA 
1 Specifications: safety functions, systems, equipment and their 
c ees 


System design, hardware design, software design, layout, circuit 
diagrams, manuals, PFD/PFS calculations & data 


Realization 


Overall installation and " F : VEO TRUE 
commissioning Checklists, test report of installation and commissioning 


Overall safety validation Validation plan, FAT, SAT test results 


Overall operation and maintenance ES audit reports, spurious trip reports, demand reports, proof 
Overall modification and retrofit Modification request, impact analysis report, approval statement, 
re-verification test reports 

= a 
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Implementation and Monitoring 


» Performance of the SIS depends on having the right procedures 

> Procedures to handle recommendations from 
* Hazard and risk analysis 
» Assessments and audits 
' Verification 
» Validation 
' Post incident activities 

> Procedures how to deal with suppliers of products and/or service 

* Procedures monitoring that the original safety requirements are still valid as me rhe Dy: 

| Tn i Chewy T. oct 
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V&V, Assessments, Audits 


' A few important terms often misunderstood 
* Verification 
» Validation 
» Assessments 


* Audits 
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Verification Versus Validation 


» Both verification and validation means we are testing something 
^ What is verification? — | 
Kehne 


Qi 
x 


* Did | build the product/system correct? 
» Did | carry out the procedure correct? E 
» Verification is carried out attef Goch itecycle phase 
EE". 
» For example 


* Requirement for system integrator: 
Select correct safety instrumentation for a SIL 2 loop 


> Verification activity: 
Engineer verifies for each piece of equipment the safe failure fraction, hardware 
fault tolerance, software, environmental conditions, etc. 
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Verification Versus Validation 


? What is validation? 
> Did | build the correct product/system? 
» Did | use the correct procedure? 
» Validation is.a phase in the lifecycle 
* Validation needs to be verified 
» Validation is carried out by the "customer": Did | receive what | ordered? 
» For example: 
» End-user requirement: Build a SIL 2 emergency shutdown function function 


> Validation activity: End-user performs Site Acceptance Tests (SAT) 


Nalid uos. 4, He 44 T 
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Verification 


> IEC 61508 mm i 


> confirmation by examination and provision of objective evidence that the 
requirements have been fulfilled Car, PS 


' IEC 61511 dome n Te 
' activity of demonstrating for each phase of the relevant safety life cycle by 
analysis and/or tests, that, for specific inputs, the outputs meet in all respects the 
objectives and requirements set for the specific phase 


Input 
docume atation 


ii 
performed 


fisiowlogy 


Output 
docume station 
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How We Do Verification in Practice 


' Verification depends on the work to be performed in the lifecycle phase 
* Visual inspection of a P&ID 
» Review meetings 
* HAZOP, FMEAs, SIL calculation reports 
' List of open points 
' Etc. 
' Verification is done 
' By testing, simulation, analysis ... 


* By product suppliers and third parties 


» By everybody and for everything 
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Validation 


' IEC 61508 


» confirmation by examination and provision of objective evidence that the 
particular requirements for a specific intended use are fulfilled 


+ IEC 61511 


' activity of demonstrating that the safety instrumented function(s) and safety 
instrumented system(s) under consideration after installation meets in all respects 
N \ dosis cloud the safety requirements specification 
A 


T 
OY Tims on Input 
docume ntation 


4 "C [Pes 

TRUM 
e 

"ye 


Output 
docume ntation 
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How Do We Do Validation in Practice? 


' Validation is performed on the real safety instrumented system 
» Validation is done 

* By testing, simulation, visual inspection, ... 

* To check whether we received what we ordered 
» Validation should be done 


* By the end-user of the safety instrumented system under rep 


oni) Hr — d 


» For safety instrumented systems validation is typically done via a 
» Factory Acceptance Test - FAT - partial validation 
» Site Acceptance Test - SAT - full validation 

Validation needs to be verified 
» Review filled out checklists 


» Review FAT/SAT reports 
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Verification and/or Validation Activities 


> For both verification and validation we need to 

» Plan the tests 

» Perform the tests, and 

* Document the results of the tests 
» What is the basis for testing? 

' For validation this is the safety requirements specification (SRS) 

» What are we testing? 
* Who is testing? 
* What tools/techniques/equipment is needed to test? 
+ What pass/fail criteria do we have? 


* How to handle non-compliances? 
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Overview 


Input 
docume ntation 


id pene 
performed 


ORiskno wlogy 


Output 
docume ntation 


ff len r ; 
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Output 
docume ntation 
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About Assessments 


Eria an insotor 


» Why do we need assessments? 
» The Assessor checks whether the people did what we ask them to do 

» What does an Assessor try to answer? 

Which lifecycle was applied? á 

Did we select competent people for the activities? 

Where the people formally trained? 

Is the input documentation for each lifecycle phase defined? 

Did we produce the appropriate output documentation? 

Did we follow up on previous recommendations? 

Did the responsible, e.g., the system integrator, follow the plan? 

Etc. 
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Functional Safety Assessment 


» Functional safety assessment(s) (FSA) 
+ Check whether everything was carried out as it was planned to be carried out hada 
> Are carried out for each phase of the lifecycle or a combination of phases 
» Are carried out with sufficient independence 

> What is it not? = 


' Is not the same as V&V 


* Does not verify the technical content in detail 
\ 


\ 


Neh! A. m 
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Level of Independence - IEC 61508 


+ Independence applies to assessment and audits, not V&V activities, according to 
IEC 61508 


Safety Integrity Level = manot necessary 
Minimum Level of Independence Y = not sufficient 


EREBEIES X 7 sufficient 
Independent person ixl x [vv] 

D renem | | e e 

ICT NERERERES 


X! = If X? applies then X! should be read as NR 


X? - Applies if less previous experience, more complexity, novelty of design, 
newer 


technology, etc. 
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Audits Dr long p ho e (o4 M ‘ea yor”) 
To kup STL Gus]. Mod 0bavsiu eo, 
» Audits are similar to assessments 
» Basically it is a periodically performed assessment 


» Applies tovlong" lifecycle phases like the operation, maintenance and repair 
phase =~ E 


* Additionally audit procedures are required 
» Frequency of audits 
* Recording and follow-up 


' Same independence applys between people doing the work and people performing 
the audits 
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Modifications 


' What is a modification? out RSE 
Bikes « 4 enfe ation 
' Any change that takes place after 


a lifecycle phase has been -— 
completed is a modification ASS ed 


Asse crest 


» Anything else is a change 


Spe cits QA. e aet 
sxe = 


Asuma 


spplewion APP Ky e. 
Modification os 
~~ 


Changu 
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Modifications Need to Be Managed 


* A modification procedure needs to be defined upfront 
» Why do we need to manage modifications? 
* We need to understand the impact of the desired modification, do we need to 
» Adjust a safety limit in software? 
» Replace a safe device with another one of a different brand? 
» Change the architecture of safety loop? 
» Redo testing? How much testing needs to be redone? 
» Redo documentation? Which documentation? 
' Etc 


in form apu. ma pota) 
Fa ffeaple. 
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Don't Just Start Making Modifications 


* You always need to follow the modification procedure 


* Only qualified and properly trained personnel are allowed to perform 
modifications 


» Request the desired modification, which will address the following: 
» What is the reason for the change? 
» What hardware and/or software needs to be changed? 
» Which hazards are affected? 

» Request is send to the Modification team for approval 


' Start an Impact Analysis 
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Impact Analysis 


» An impact analysis includes: 
» An assessment on what impact the change has 


* A hazard and risk analysis to understand which, and to what, extend lifecycle 
phases are affected 


* A guarantee of functional safety at all times ode 44. ex L Aq. wd 
+ Impact analysis is send to the Modification team for review 


* Result of the impact analysis determines whether the modification will be authorized 
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Modification Documentation 


» What needs to be documented? 
» The modification or retrofit request including a description of the modification 
The hazards that might be affected due to this modification 
The impact analysis 
The modification’s approval 
The actual work performed 
Re-verification and revalidation of data and results 


All documents affected by the modification and retrofit activity 
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Competency of People 


» Competency should measure 
z e 
© * Knowledge 
@) + Formal training 
(OF Experience 
» In the area of 
> Application 
» Technology 
» Standards, regulations, law 


» Competency should be periodically refreshed, updated and continuously assessed 
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Exercise # 02 


* Verification of a safety requirement specification 


* What do we verify when we verify... 


Cesy gra C090). 20M Roosogyf: M gres reed 


Exercise # 03 


* Case study: Accident Documentary 
* Next a documentary is shown 


» Write down everything that has gone wrong during this accident and that has to 
do with functional safety management 
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Summary Module 2 


» Summary 
> Basics of functional safety starts with good management 

* Functional safety management 

» Lifecycle 
Documentation 
Verification & validation, assessment, and audits 
Modification 

* Competency 


Have the right people, do the right work, at the right time, using the right tools and 
the right techniques 
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Hazard & Risk Analysis 
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Hazard & Risk Analysis 


» |n this module: 
^ How much safety is enough? 
» Risk management 
* Hazard identification 
* Hazard analysis 
» Risk reduction 
> Techniques 
* Risk graph, risk matrix 


' |dentification safety functions 
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Where Are We? 
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HRA Nomenclature 


* Many different names exist in this industry 

* AHA - Area Hazard Analysis 

* HAZID — Hazard Identification Analysis 
HAZAN - Hazard Analysis 
HAZOP - Hazard and Operability Analysis 
LOPA - Layers of Protection Analysis 
OHA - Operability Hazard Analysis 
PHA — Process Hazard Analysis 

+ QRA - Quantitative Risk Analysis 


» Any other names you have heard? 
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What Is a Hazard? 


' Definitions 
+ A substance, object or situation that can give rise to injury or damage (Kletz) 


' An inherent physical or chemical characteristic that has the potential for causing 
harm to people, property, or the environment (AIChE) 


' Potential source of harm (IEC 61508/61511) 
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What Is a Hazardous Event? 


' An hazardous event occurs when the potential hazard has happened. 


' Also referred to as hazardous scenario 


RISKNOWLOGY* 
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What Is Risk? 


' The risk we talk about is related to a hazard 
' Risk is a combination of 

* The severity of consequences (C) 

* The frequency of occurrence (F) 

! Risk =C xF 


> We need to determine the risk associated with the hazardous event 


cbr V Pre abes! now 
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What Is Tolerable Risk? 


* The basis of risk analysis: tolerable risk 
» How much risk do you tolerate? 


» How can we estimate how much risk reduction we need if we do not know how 
much we tolerate? 


* Who determines tolerable risk? Society does... 
' Risk of smoking 
' Risk of driving a car 


* Risk of doing business 
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Tolerable Risk 


^ How governments think about us: 


Country Maximum risk to the public 


[ omey | — —— 9 — — —] 


Source: CCPS 
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Risk Reduction 


Residual Tolerable T Bin 
Risk Risk ANURS 
Event 


SIS 4 bos Bare pias 


Achieved risk reduction 
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Risk Reduction In Practice 


Pa) 
o 
c 
o 
2 
c 
o 
pud 
LL 


Risk , 
Hazardoous Evont Active 


Passive 
Active Protection Layer 
Pasalvo Protection Layer Burst plate, relieve valve 
SIS 


Containment System z 


Safety Instrumented Systom 


Consequences 
RISKNOWLOGY" 414 Copy 6 2002 - 2011 Risknowogy®. Al ighis reservar 


57 


Risk Management 


> Three important steps 
i Identify the hazards / hazardous events 
r Analyze the hazards / hazardous events 
B Reduce risk where necessary 
Jd ov | * How do we do that? Three categories of techniques are available 
* Qualitative: everything expressed in words 
' Quantitative: everything expressed in numbers 


' Semi-quantitative: a mixture of words and number 
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Hazard Identification 


> Hazard identification 


* Once all hazards are identified the job is half done 


» Is the first and most important step when identifying the required s unctions 


for your safety instrumented systems 


* A safety function is useless if it is not linked to a hazard or hazardous event 


* Safety Instrumented Systemss not based on hazards are either 


» Over dimensioned $$$ or 
» Under dimensioned $$$$$$ 
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Hazard Identification Techniques 


' Many hazard identification techniques exist 
' Some examples in use today are 
* Check list analysis 
* What if analysis 
> Failure modes and effects analysis €N EJ 
Fault tree analysis RYA 
Hazard and operability analysis WAZ œ P 
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Hazard Identification Techniques 


* For all techniques counts that... 
> Best performed in a team (dile diseflive) 
+ Information needed includes: 
' The physical environment of the process including neighbors 
* The equipment under control( £ UC ) 
* The basic process contro! system and its functions 


* Information about hazards and basic materials 
(toxicity, explosive conditions, corrosiveness, reactivity, flammability, etc) 


* Existing safety regulations 
(laws, standards, industry guidelines, etc) 
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Failure Mode and Effects Analysis - l 
Desin Nene ön Glih b ye Technique 
» About FMEA 
» First formal applications in 1960 in the aerospace industry 
' It can be used for products, systems and processes 
' First of all it is d design] technique 


' But it is better known as a(verification| technique 


It is mainly used as à qualitative|technique 
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Failure Mode and Effects Analysis 
Ne elmet Hy Time 
' ...more specifically it 
» Is a bottom-up technique 
' Is a single failure mode analysis technique 
+ Does not consider multiple failures at the same time 


^ Common cause are not explicitly addressed 
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Different Variations Exist 


» FMEA can be adjusted to the problem or needs at hand, e.g.: 
» FMEA - Failure mode and effects analysis 
> Basic technique for products and processes 
» FMECA - Failure mode, effects, and criticality analysis 
» For process 
> FMEDA - Failure mode, effects and diagnostic analysis p mone ho C rae. 
' For products 
» Functional FMEA 


» Process is analyzed based on functions rather then the hardware (and 
software) used to carry out the functions pr 
OG four 


NOWLOGY" 
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Example Process FMEA 


Component Failure or 
error mode 


Pressure Jammed 
relief valve open 


Gas Valve 


Jammed 
close 


RISKHOWLOGY' 


Effects on other 
system components 


Increased operalion of 
temperature sensing 
controller and gas 
flow due to hot water 
loss 


Burner continuous to 
operate. Pressure- 
relief valve opens. 


Burner ceases to 
operate 


Hazard class 


Effects on 
whole system 


Loss of hol 
water; greater 
cold water 
input, and 
grealer gas 
consumption 


None 


Water 
temperature 
and pressure 
increase. Water 
-> steam 


System fails to 
produce hot 
waler 


Source: Recht,:Himmelblau, 1978 


Failure 
frequency 


Reasonably 
probable 


Probable 


Reasonably 
probable 


Detection 
methods 


pressure 
telieve 


Manual 
testing 


Water at 
faucet too 
hot 


Observe 
al output 


Compensating 
provisions and 
remarks 

Shut off water supply, 
reset or replace relief 
valve 


Unless combined 
with other component 
failure this failure has 
not consequence 


Open hot water 
faucet to relieve 
pressure. Shut off 
gas supply. Pressure 
relief valve 
compensates 
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Typical Steps 


* Typical steps to conduct an FMEA study 

+ Define scope of the analysis 

» Define system function to be analyzed 
List all components 
Identify failure modes 
Analyze the effects 
Document the results 
Identify any other information of interest 


+ Failure rates, causes, independent protection layers, etc 
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Another Example of an FMEA Worksheet 


Component Information Failure Information 


Name 1D fiction [eren Tube Effec Component Effect System Level — Probability 
rate Level 


SOV | SOV [Pilot valve 5,50E- ESD valve cannot 
for maln air 07 shutdown upon 
supply ESD demand 
valve 

Stuck close] 4,60E- No alr flow ESD valve closes 
05 mechanical without a demand, 
failure spurious trip 
Leakage |1.30E- |Connection |Llmited air supply [ESD valve closes 
04 not tight without a demand, 
spurious trip 
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Failure Rate 


Component Information Failure Information 


Function Failure mode Failure rate Cause 


Pilot valve for main air |Stuck open 5.50E-07 Internal mechanical 
supply ESD valve failure 
Stuck close E-05 Internal mechanical 
failure 
onnection not tight 


Example Failure Raté Table 


Qualitative Quantitative 


[ voam | re 
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Failure Information 


Failure " Effect Component 


Failure mode ause 
rate evel 


Effect System Level ^ Probability 


Example Effect Table Example Probability Table 


Failure effect Description Qualitative Quantitative 


Probably 0.5sp<0.95 
\ Likely 0.05 < p < 0.5 


A Unlikely Osp«0.05 


Probability that the effect 
The failure will not have much influence on the actually takes place 
performance of the system 


126 Copright Q 2002 - 2011 Rilknowigyt, M righ: casamved 


63 


M 
FMEA Results ^" "ve Diy 
oJ J 


* Advantages of FMEA 


» You have a complete documented safety study 
, Easy to understand and to apply Js 
Y Easy to verify 
» Disadvantages of FMEA 
"i Gan be aot of work for an existing process 


* Does not consider multiple failures at the same time (common cause) 


2 Kec 


F HEA dloes pol On Eida )Av man CYY v^ on kk 
«du ipe mod Pailuye, S 
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Exercise #04 


'Case Study: Carry out an FMEA 


Material A 


— FT) 


BPCS 


Ratio 
Controller 
a 


Controller 


Reactor 
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Fault Tree Analysis 


* About FTA look Per Th ut Pr loop Vk fex Rig tag i ) 


» Itis a top down technique 
bre ec) 


' It starts with an undesired top event and from there we try to find out all possible 
combinations of failures that can lead to the top event 


' [tis a verification technique 
8h Can be performed qualitative as well as quantitative 


* Most common technique for causal analysis in risk and reliability studies, 
specially in the nuclear industry 
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Typical Steps 


* Typical steps to conduct an FTA study 
» Define scope of project 
' Select a set omo Ne IER de Y ^a My F MEA 
» Depends on software\tool 
' Define the top event 
* Create fault tree 
» Analyze the fault tree 


* Document results 
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Typical FTA Event Symbols 


Primary or base event 


Undeveloped event 


Intermeciate event 


Conditigsing event 


External svent 
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Bas c faulteventreauiring no further development 


Fault evert which has not been further developed 


Fault evert which occurs due to antecedent 
causes acting through à logic gate 


Specific conditien which applies to a lagie gate 
(used mainly with Priority, And, and Inhibit gates} 


External even which ts normelly expected to occur 


Source: IEC 61025 
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Typical FTA Logic Symbols 


AND gate 


OR gate. 


INHIBIT gate 


PRIORITY AND gate 


EXCLUSI VE OR qate 


VOTING gate 


TRANSFER IS 


TRANSFER QUT 


Qutput exists only if all inputs exist 


Output exists [Fone or more inputs exist 


Output exists if Input occurs in presence of the specific 
enabling cond! uon Gpected by canditloning ever 1o 
right of gate) 


Output exists if all inputs occurin a specific sequence 
(specified by conditioning event tp right of yate) 


Output exists if onc and only one input exists 


Output exists iF these are m-out-of-n inputs 


Symbol Indicates that the tree Is developed further at the 
forespanding TRANSFER OUT symbol 


Symbol indicating that the portion of the tree below the symbol 
isto be attached to the main tree at the earrexpanding 
TRANSFER OUT symbol Source: IEC 61025 
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FTA Example Fire Pumps 


* Redundant fire pumps 


TOP event: 
No water from fire water system 


Engine 


Fire Pump 1 | Fire Pump 2 FP2 


Source: Karydas, 2005 
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FTA Example Fire Pumps 


Engine 


Fire Pump 2 FP2 


Source: Karydas, 2005 
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FMEA — FTA Relationship 


FMEA 


Ouai 


eive 
2y 


Bottom up 


Cause 
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FTA Results 


» Advantages of FTA 


Top 
Evont 


FTA 


Comm a mode Pra bler 


Ro ty Reels J tes 


Deductive 


— 


Top down 


Cause 


Cause 
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* You found all possible combinations of equipment failures that can lead to a 


problem 


» You can find common mode problems 


» You can calculate the probability of the top event occurring 
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Disadvantages FTA 


» Disadvantages are 


' If you do not know what the TOP event should be then you will never create a 
fault tree for it 


Each TOP event needs a new fault tree a let 4f Pees 


Associated with the nuclear power industry, it has a “it does not apply to our 
industry” reputation 


Only good results if all details are available 


Difficult to verify a fault tree 
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Exercise #05 


'Case Study: Carry out an FTA 


Material A 


Ratio 
Controller 


Speed 
Controller 


Copyright € 2002" 2011 Raknewlogy®. Ki phis reserved 


69 


Exercise # 06 


» An accident animation is shown 
» Document what goes wrong 
» And how it could have been prevented 


» Lets take a look at what happened 
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Hazard and Operability Study 


[ í fo retinal 
* About ae A 4s) hot En 2q UP Pred 


* Popular technique in the process industry 


> Identifies hazards and operability problems 
» Mainly qualitative 
Very systematic technique 
Can be used 
* During initial design of a plant 
» During modifications and periodic reviews of existing processes 


» For continuous and batch processes 
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What Is HAZOP? 


+ A HAZOP 
' Is a structured and critical examination of a process 
» Not of equipment 
* All possible deviations from the design intent are examined 


* The consequences of the undesirable effects are examined 


RISHNOW| OGY" 


Typical Steps 


* Typical steps to conduct an HAZOP study 
' Define scope of project 
' Determine guide words 
' Determine study nodes 
» For each node determine the design intent 
» Apply guide words to each study node 


> Document results 
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Guide Words 


Meaning 


Quantitative decrease of a parameter 
An additional activity occurs 


Logical opposite of the design intention occurs 
Complete substitution 
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Other useful Guide Words 


Where else 


RISKNOWLOGY” 


Parameters and Deviations 
—— ur a T 
, The guide words Bre useless without X parameter) app s " Nok 
> Typical parameters are: | = 
» Temperature 
» Pressure 
Flow 
Reactants 
Phase 


» Etc 


V Guide word + parameter = deviation Y 
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Examples Process Deviations 


Guide Word Parameter Deviation 


RISKNOWLOGY’ 


Choosing Study Nodes 


Study Node 2 


Study Node 3 
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Example Operating Deviations 


+ HAZOP can be applied to operating instructions 


* For example: 


> Operator should start flow A thirty seconds after temperature B is reached 


» Guide words are applied to 
» Flow A: No, More, Less, etc 
* Flow A: Faster, slower 
' Temperature B: Higher, lower 


^ Temperature B: Sooner, later 


RISKNOWLOGY* 
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Example HAZOP Sheet 


NODE: Feed section trom intermediate storage to Durrer/settimg 


tank 
W nS eviatic 'ossible 1 Conseque. Action required 
‘ore 
Loss of feed to reactlon section 


and reduced output. Polymer aan $ 
elena ^ | formed in heat exchanger | Intermediate storage operator 
intermediate storage (b) Install low level alarm on 
settling tank LIC 
As for (1) Covered by (b) 


Covered by (b) 
(2) J1 pump fails | AS fOr (1) J1 pump overheats | — (cS instar kick-back on J1 
(3) Line blockage, pumps 
isolation closed in (d) Check design of J1 pump 
error, or LCV fails shut strainers 
i e i d " Covered by (b) 
OTOCCSOIE CISCO na (e) Institute regular patrolling 


ee adjacent to public and inspection of transfer line 
highwa' 


(a) Ensure good 


(4) Line Fracture 


(f) Install high level alarm on LIC. 
(5) LCV fails open or and check sizing relief opposite 


liquid overfilling 
MORE OF |More flow] LCV TIERE opan in Settling tank overfills (g) Institute locking off 


procedure for LCV bypass when 
not in use 
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HAZOP Results 


» Advantages of HAZOP are 


» Itis a team effort 


» Collectively we should know more 


* All disciplines involved 


'* Once finished you have a complete documented safety study 


» Relatively easy to verify 
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HAZOP Results 


' Disadvantages of HAZOP are 
' Itis a team effort 


' Team is not creative enough 


> Team does not think in problems but in solutions. 


sib ROLL MIBEI TL 


> Too many, too little team members 


» Nodes are not selected correctly 
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* Management commitment is necessary - because it is a team effort it involves a 


lot time and resources 


' It only looks at hazards from inside the process 
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Exercise #07 


»Case Study: Carry out a HAZOP 


Ratio 
Controller 


Speed 
Controller 
weetni 
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IG f Phe APTE 
FER aw). 
4 Ye ve dv 


Exercise # 08 


* Evaluation 


' What are the main differences between the three techniques? 


» Which technique was the best? &CX««I/4 ther u no thig hd etu pac tow dfe loak, oe 
[ra t e—a Ne 2oy 3 

eve — Fra 

qu EMEA 


» When would you apply which technique? Poy 


FMEA FTA jo 


04 oe 
Bo op e 0p. -- 
EI march DA 
Vocus, NN edun Pal” Wr NTT x. Pr. LS 
j Proce N " x Sede 
[ eve 
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Hazard Analysis 


> Hazard analysis is the next step after identification 
' Often it is clear what to do once a hazard is identified 
' For some hazards it is not clear what their likelihood and consequences really are 


» Hazard analysis helps understand what the most cost-effective measure is to 
guard against the hazard 
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Hazard Analysis Techniques 


* Hazard analysis techniques in use today 
' Fault tree analysis 
» Event tree analysis 
* Cause consequence diagrams 


+ Dispersion modeling 


D 
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Event Tree Analysis 


» About ETA 


' Helps us understand the consequences of events 


» Models an initiating event and the time sequence of event propagation to the 


potential consequences 


> Can be used qualitatively as well as quantitatively 


* Can be developed independently or in combination with fault tree analysis 


RISKNOWLOGY" 


ETA Example 


In Start of 
event fire system works 


Explosion 


10%/year 


Coo LOFE? 29M Reni AY ha heen 


Resulting 
scenario 


Controlled fire with alarm 


Controlled fire with no alarm 


Uncontrolled fire with alarm 


Frequency 
scenario 


7,91.103 


7,92.105 


7,992.105 


Uncontrolled fire with no alarm 
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Risk Reduction 


' At this point we know 
» Our hazards 
» The consequences of the hazards 


> The likelihood or frequency of the hazards 


* Now we need to ask ourselves 
» Do we need to reduce the risk? 
* By how much do we need to reduce the risk? 


' Is a safety instrumented system necessary? 


RISKNOWLOGY* 


Risk Reduction Analysis Techniques 


* Risk reduction analysis techniques in use today 
' Risk matrix 
» Risk graph 
» FMEA 
» Fault tree analysis 
» HAZOP 
' Event tree analysis 


Layer of protection analysis (LOPA) 
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Risk Reduction With FMEA And Risk Matrix 


Failure Information 


Failure mode. Failure Siti Effect Component 


I 
"n Lavel Effect System Level Probability 


Example Risk Reduction Table 


Very Unlikely Likely Probably Sure 
Failure Effect 
0-0.05 0.05 - 0.5 0.5 - 0.95 0.95 -1 


Personal or environmental damage 
COo e 
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Risk Reduction With HAZOP 


NODE: Dilution air inlet line to suction of oxidizer blower 


Deviation Cause Consequence Safeguards SIL Recommendation 
Low Flow | Valve FCV-1 | Increase VOC in LEL SENSOR 2 Check response time of 
not fully gas stream causes diversion of LEL sensor 
open gas stream to 


atmosphere by 
opening valve FCV- 
2A and closing the 
oxidizer blocking 
Potential valve CV-2B 
explosion if 
VOC=LEL and Pressure relieving 
gas reaches panels 
incinerator 
Detonation arrestor 


Provide LIMIT SWITCH 
on valve 


Provide LOW FLOW 
ALARM 


Verify operator procedures 


Verify if relief area is 
adequate 
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Consequences 


Consequence 5 
Range Qualitative Criteria 
Personnel: Multiple critical injuries or fatalities 
4 Public: Potential for multiple critical injuries or fatalities 
Environment: Unconfined release with major environmental impact 
Property: Plant & production loss in excess of $100 M 


Personnel: Potential for serious injuries or single fatality 

Public: Potential for serious injuries or single fatality 

Environment: Unconfined release with medium environmental impact 
Property: Plant & production loss in the range of $10 to $100 M 


Personnel: severe injury requiring medical emergency care 

Public: Potential for severe injury requiring medical emergency care 
Environment: Unconfined release with minor environmental impact 
Property: Plant & production loss in the range of $1 to $10 M 


Personnel: Injury requiring first aid 
Public: Odor or noise nuisance, no direct impact 


Environment: Confined release with localized impact 
Property: Plant & production loss in the range of $0 to $1 M 
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Frequency 


Frequency 


Range Quantitative (by numbers) Criteria 


4 (greater than 1/100 yr.) e.g., single instrument or valve 
failure, hose failure or a single error in routine activity 


(1/100-1/1000 yr.) e.g., dual instrument or valve failure, 
hose rupture, piping leak, or human error 


(1/1000-1/10,000 yr.) e.g., combination of instrument 
failures and human errors, or guillotine breaks of 
small process lines or fittings. 


(less than 1/10,000 yr.) e.g., multiple instrument or valve 
failures or human errors, or spontaneous failures of 
tanks or process vessels. 
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Frequency 


Frequency Qualitative (by words) Criteria 
Range 


Very high, e.g., single instrument or valve failure, hose 
failure or a single error in routine activity 


High, e.g., dual instrument or valve failure, hose rapture, 
piping leak, or human error 


Low, e.g., combination of instrument failures and human 
errors, or guillotine breaks of small process lines or 
fittings. 

Very low, e.g., multiple instrument or valve failures or 
human errors, or spontaneous failures of tanks or 
process vessels. 
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Risk Reduction Matrix 


SIL 2 


Frequency 


SIL 1 


4 
Severity of consequences 
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Risk Graph Example 


"Uu 
= 


Risk Parameters : 


D - Extent of Damage 
Di: slight injury 
D2: severe irreversible injury lo one or more 
persons or dealh of a person 
D3: Death of several persons 
D4: Catastrophic consequences, multiple deaths 


E - Exposure Time 
El: seldom to relatively frequent 
Ee frequent to continuous 


A - Hazard Avoidance / Mitigation 
Al: possible under certain conditions 
A2: hardly possible 


P - Occurrence Probability 
very low probability 
low probability 
relalively high probability 
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Risk Graph (UKOOA) 


C1 Replacement cost less than $5 
C2 Replacement cost more than $5M, less than $50M 


C3 Replacement cost more than $50M 


EE ESE bz 
N 


F1 Production rate up to 10,000 bbls/day 
F2 Production rate more than 10,000 bbls/day 


P1 Possible for operator to take action to prevent 
incident or to significantly reduce consequences 

P2 Unlikely that operator aclion will prevent or 
mitigate consequences 


W1 Demand occurs very rarely 
W2 Demands occur on an average basis 
W3 Frequent demands 


-— No safety requirements 
a No special safety requirements SIL4 
b An E/E/PES is not sufficient 
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SIL4 


EL E 


ETA Example 


wre People Environment| Economy! 
Scenario| Frequency |HIM|L| H| M|L|H|M| 


167 
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Layer of Protection Analysis 6^ veda sev. 
* About LOPA 15 09e" quis 
' It helps determine the frequency of occurrence of the hazardous event 
It is a modified version of event tree analysis 
It helps establish the frequency of a hazardous event leading to an accident 


It takes into account only protection layers 


Can be used qualitatively as well as quantitatively 
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LOPA Example 


Raliof Valve Oulcome / Consequence Frequency 


Temparaiure Controlled. Pressure normal 
impact on product quality 


1,61E-2 


Temperature too HI. Pressure controlled 


Tmpact on product and equipment 


Temperature too HI. Pressure HI 
Impact on equipment. Prod 


Temperature too HI. Pressure too HI 


Expiosicn. Fatalmes. Equipment damage. 
Environmental damage. 
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LOPA Example 


FREQUENCY (events per year) 


$10 millon > 
impact > $1 


impact > 
$100,000 


mozmcomozoo 


RRF = Event Frequency Defining iust SIL 2 i T 
Tolerable Frequency e amy P 


PFD = 1/ RRF 
RRF - 400 (SIL 2) 
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LOPA Example 


Relief Valve Outcome / Consequence 


Temperature Controlled. Pressure normal 
‘Impact on product quality 


‘Temperature Controlled, Pressure normal 
6,883E-3 


Temperature too HI. Pressure controlled 


Impact on product and equipment 1,208E-5 


Temperature too HI. Pressure HI 


4 H 
^ ae ,865E-6 


Temperatura too HI. Pressure too HI 
memorem anap WE 
Environmental damage. 


Adding a SIL 2 SIF with PFD = 2.5E-03 


RISKNOWLOGY m 
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LOPA Example 


FREQUENCY (events per year) 


: 


10 |Impact > $10| irreparable 
millon damage 


37 milion 
Impact beyond 
boundaries 


> 
> 
0» 


A SIL 2 SIF with PFD = 2.5E-03 will do the job 
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LOPA Results 


+ Advantages 


» More accurate modeling compared to Risk Graph or Risk Matrix 


* Takes into account unlimited numbers of available protection layers 
* Disadvantages 


» LOPA is suitable for playing with numbers 
* Often credit is given for wrong or non-protection layers 
> Pay attention to common cause between layers 


' Pay attention to what actually a protection layer is and what is not 


RISKNOWLOGY- 


Copynahi ©2002 - 7011 Risknowogyé. A nis reserve. 


Pay Attention! 


* For all techniques/tools counts 
> They are only as good as you use them 
* Garbage in means garbage out 
+ Any technique based on data requires reliable data to get reliable results 


» Create company procedures for each technique you want to use 


» What are the rules of the technique? 


» When to apply which technique? 
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Exercise #09 


'Case Study: Select the appropriate SIL 


Material A 


€—M—( FT ` 


Controller 


eem 


— a 

ed 
Controller vem 
ane FT) 
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Safety Function 


> There are five basic properties 
' Sense 
» Logic 
* Actuate 
Timing ^ ra panse Tu «x dle E 
* Safety integrity (SIL) 


» Timing is determined by the{process safety time | 


> Rule of thumb: Timing < Process Safety Time / 2 
> SAVIN ve o 


3 A 
7f a «Ioas bi) y mens SS M Td Tie t cas o — wel 
os ob ali 6 Z Pads w Bo Pa I tet Vo AN er CS 
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Bad Example of a Safety Function 


» From practice: 


' "The main safety function of the HIPPS is to protect the separation vessels 
against overpressure and to protect the low pressure equipment against high 
pressure." 
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Better Example of a Safety Function 


' Example of a safety function 


* "Measure the temperature in vessel V23 in two locations and if the temperature 
exceeds the 65 © temperature limit open the drain valve within 3 seconds. The 
safety integrity of this safety function should meet SIL 3." 
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Safety Requirement Specification 


» The end-users SRS could include things like: 
Functional description of all safety functions 
Safety integrity level 
Required Risk Reduction Factor 
Energize to trip or de-energize to trip 
Low demand, high demand or continuous mode 
Safe state for each safety function 
Startup, restart, reset functionality 
Maximum allowable spurious trip level (STL) 
Environmental conditions (Temperature, EMC, humidity, vibration, etc.) 
Bypass philosophy } 
Etc 


o v nde 
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Summary Module 3 


' In this module we addressed 
* How to identify hazards 
» How to analyze hazards 
That frequency x consequence - risk 
How to determine risk reduction 
That a risk matrix or graph can help us determine the SIL per safety function 


That once the safety function is defined we can write a top level SRS 
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bhtih orah ns Be pin 


Planning The Safety Instrumented System 


BISMNOWLOGY* 


Planning the Safety Instrumented System 


' In this module 
* Overall planning 
* Implementation of a safety instrumented systems 
* Safety plan, V&V plan and overall SRS 


* Requirements for suppliers 


RISKHONA OGY' 
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Where Are We? 


Hazard and risk sssessmont 


‘Allocation of safe fune functions 


ign ai a 
ity saan Moons of of fisk 
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Planning for End Users (Integrators) 


» What needs to be planned 
* Overall installation and commissioning 
* Overall safety validation 


* Operation and maintenance 
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End Users Need 


» At this point the end user 


* Knows which safety functions there are 


+ Knows which safety functions will be implemented in which technology 


* Needs sufficient information (documentation) from his suppliers to plan his 


activities 


RISMNOWLOGY” 


Typical Questions 


» An end-user should understand what to expect 
» Do we need to train our personnel? 
> Do we need to hire new people with special expertise? 
> Do we need to buy special tools or equipment? 
^ Do we need to change or create new procedures? 
' Etc 
* Do we have proper functional safety management in place? 


» Do we have a functional safety manager? 


RISKHOW) OGY 
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Realization Safety Instrumented System 


» Realization is done by 
» Integrators and/or product manufacturers 
* What do integrators and products manufacturers deliver? 
' Hardware and/or 
' Software 
* Documentation 


* Including documentation to operate, maintain, validate, commission and install 
the safety instrumented systems 


RISKNOWLOGY” 
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Three Important Documents 


* When we start with the physical safety instrumented systems the following three 
documents are important 


1.Safety plan 
2. Verification & validation plan 
3.Safety requirements specification 


» The user, the integrator, the manufacturer, they all have their own versions of these 
documents 


* The functional safety manager(s) needs to manage these documents 
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Safety Plan 


* Objective 

* How do we plan to achieve functional safety? 
+ Typical content 

' Lifecycle(s) and phases 

> People, organizations and responsibilities 

* Tools, techniques, etc 


* Modification procedure 
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Verification & Validation Plan 


' Objective 

' Did we build the safety instrumented systems right? - Verification 

» Did we build the right safety instrumented systems? - Validation 
> Typical content 

* Who verifies/validates what? 

* When verification/validation is done? 

> How verification/validation is done? 

» Which tools, techniques, knowledge are needed? 


» Etc 
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Safety Requirements Specification 


» The end-user knows his specification as it resulted from the hazard and risk analysis 


^ Often system integrators build the actual safety instrumented systems and their 
safety functions 


» Recommendation 


Translate the end-user safety requirements specification into a system integrator 
safety requirements specification 


* Hardware requirements 
» Software requirements 


» Have the end-user approve the system integrator safety requirements 
specification before the design and engineering work starts 
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Capit. © 2002 - 2011 Feakaowiogy®. AN gis reser 


Requirements For Suppliers 


* Suppliers of safety equipment should make sure that end-users get enough 
information so that they can easily 


* Operate and maintain 

' Validate 

* Commission and install 

* And prove that their safety functions are compliant 
» Usual this is done via product manuals 


» But also system integrators need to think about manuals on system level 
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Summary Module 4 


' |n this module we addressed 
» What needs to be planned 
» What an end user needs to know 
> The realization of the safety instrumented systems 
> The three most important documents in the safety industry 
* Requirements for suppliers 


* Need for a functional safety manager 
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Hardware Design 


RISKNOWLOGY* 
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Hardware Design 


» In this module 
» Hardware lifecycle 
» Hardware concepts 
» Architectural constraints 
* Measures to control and avoid failures 


Reliability analysis 


RISKNOWLOGY* 


Where Are We? 
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Hardware Lifecycle - IEC 61508 


1. EÆPE ayatem design 
requirements specification 


3. E/É/PE system design & 
9. EPE ayetem safety 
validation planning developer Inctodig ASICS 


4. E/E/PE system 
integration 
{swan mete] EEPE sysiom insialiation, 


+ {swan pre spent tian P 


maintenance 
6. EEPE sysiem 
safety validation 


Verification 


(Fu nctional Safety Management | 
Documentation 


C 


| Functional Safety Assessment | 
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Fundamental Hardware Concepts 


+ Hardware design on safety function level 

» De-energize versus energize 
+ Low demand, high demand, continuous mode - 61508 
* Demand mode, continuous mode - 61511 
> Target failure measure 

* Probability of Failure Dangerous - PFDavg, PFH 

* A measure for the Safety Integrity Level (SIL) 
' Probability of Fail Safe 


* A measure for the Spurious Trip Level? (STL) 
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De-energize Or Energize To Trip 


* What is the difference? 


: _ > A de-energize to trip safety instrumented systems does not need energy to 
Uu perform its safety function 


' Itis based on the so-called fail-safe design principle 


' An energize to trip safety instrumented systems needs energy to perform its 
safety function 


* This is not fail safe 
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De-energize To Trip Examples 


' Fail safe programmable electronic logic solver 
+ Safe state is always the 0 state or energyless state 
» Only electrical power will result in a 1 state 

Spring return actuator 
» Energize spring to open valve 


+ De-energize spring to close (FC) 


ved AM M 


* Fail safe design 
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Energize To Trip Examples 


» Sprinkler system 
» Pumps 
' Electricity 
+ Water 

» Fire & gas system 
* Detection and 


» alarm management 
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Rəy Low Demand, High Demand, Continuous 


> IEC 61508 defines 3 types of safety function operations 


> Low demand mode 


> High demand mode 


» Continuous mode 
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Low Demand Mode - IEC 61508 


* Low demand mode safety function 


» Where the safety function is only performed on demand, in order to transfer the 
~~~) EUC into a specified safe state, and, where the frequency of demands is no 
greater than one per year 


* Typical example 


» Emergency shutdown system with ESD valve 


SS) ee 
he YN or | Sin / Vi y 
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High Demand Mode - IEC 61508 


+ High demand mode safety function 


where the safety function is only performed on demand, in order to transfer the 
EUC into a specified safe state, and where the frequency of demands is greater 
than one per year; 


* Typical example 
» Emergency shutdown system based on drain valve of a batch reactor process 
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Continuous Mode - IEC 61508 


* Continuous mode safety function 


' where the safety function retains the EUC in a safe state as part of normal 
operation. 


» Typical example 


* Keep supply valve of gas burner at 50% capacity during start-up procedure 


4 i 
YO av« FOR- 
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Demand Versus Continuous - IEC 61511 


* IEC 61511 defines demand mode and continuous mode 
* Demand mode 


+ A dangerous failure of the safety function itself has no immediate effect on the 
process 


' The process is in danger if 
* The safety function has failed dangerous AND 
* A demand occurs 
Continuous mode 


» A dangerous failure of the safety function itself has an immediate effect on the 
process 


' The process is in danger because the safety function has failed dangerous 
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Pay Attention! 


* Each demand needs to be analyzed for its reason(s) 
* Bad process control often results in too many demands 


» Frequent demands for a low demand process should not necessarily result in “we 
need a high demand safety instrumented systems” 


' |t might result in changes in process design, operation of the process, 
procedures, ... 
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Probability Of Failure 


» For each safety function we need to know how often it fails 
» Probability of Failure on Demand - PFD 


* The probability that the safety function does not work upon demand from the 
process 


* Requirement in IEC 61511 
» Probability of Fail Safe - PFS 


+ The probability that the safety function is carried out without a demand from the 
process 


> Not a requirements in IEC 61511 
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PFDavg Versus PFH 


' The probability of failure on demand after one year or after one hour 


(low) demand mode high demand / continuos mode 


bens £102 to <10" £105 to «10:5 
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Spurious Trip Level® 


» Probability of fail safe - PFS 


PFSav PFSh 


2102to<107 | £10%to<10% 
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How To Use the Spurious Trip Level® 


» For each safety function estimate how much it costs to have a spurious trip 


» The higher the cost the higher the STL should be 


» For each company the levels need to be determined individually, see example below 


STLim Cost of a spurious trip due to 
safety instrumented function 


immi m Between €100k and €500k 
| Nom | Between €0 and €100k 
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Subsystems 


» A safety function is part of system which can have several subsystems and elements 


» Any subsystem / element used in the safety function must be a compliant item, i.e., 
an item that fulfills the requirements of the standard 
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Fundamental Hardware Concepts 


* Hardware design on subsystem level 
» Redundancy and diversity 
» Voting and hardware fault tolerance 
' Type A and Type B 
> Failure modes 
> Detected and revealed failures 
Safe failure fraction 


Architectural constraints 
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ilf Redundancy 


» What is redundancy? 


' Definition supp; Cie adavhli Tru Mean y 


E E. / 
» The use of the&ame means/'to achieve the same (or part of the same) safety 


function 
* Redundancy may be achieved by 


ofc &J Same hardware and/or software, or 
Qa sita * Diverse hardware and/or software 


—-Redundancy does not necessarily help against hardware common cause failures 
and does not help against systematic failures 
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Examples — Redundancy 


'Redundant equipment 


Diversity is one measure against common cause and systematic failures, but does not 
necessarily help against all common cause and systematic failures 


[pere | =] 
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Diversity 


» What is diversity? 
* Definition 


» The use of different means to perform the same (or part of the same) safety 
function 


» Diversity can be achieved by 
» Different physical methods 
» Different design philosophies 


> Diversity is one measure against common cause and systematic failures, but 
does not necessarily help against all common cause and systematic failures 
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Examples — Redundancy 


' Diverse equipment ' Diverse design solution 


Level Gauge 


Level Transmitter 
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Voting 


* Voting is defined as 


* The number of independent paths (M) required out of the total number of existing 
paths (N) in order to perform the safety function 


Voting is often expressed as MooN 
* M expresses the number of voting 
* N expresses the number of redundancy 
* For example 1002, 2003, 2004, etc. 


» Voting can "destroy" redundancy, e.g., 2002 
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Examples — Redundancy 


*1002 Fail to Close (FC) valves » 2002 Fail to Open (FO) valves 


Process Vessel 


Process 
Vessel 
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Hardware Fault Tolerance (HFT) 


» A hardware fault tolerance of N means EN 


AFT ' That Nj* 1 faults could cause a loss of the safety function | 


* Hardware fault tolerance is easy to calculate 
* For any MooN system, HFT =N-M 
+ For example, the HFT of a 2003 system is: 3-271 
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Exercise # 10 


Architecture Voting Redundancy 


1001 
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Type A Subsystems 


» A subsystem is type A if 
» The failure modes are well defined, AND 
> The failure behavior can be completely determined, AND 


' Sufficient failure data is available 
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Type B Subsystems 


» A subsystem is type B if 
> One or more failure modes are not well defined, OR 
' The failure behavior cannot be completely determined, OR 
insufficient failure data is available 


» If there is an IC 
inside you can be 
99.996 sure it is 
a Type B 
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Subsystem Failure Modes 


» Safe failure 


» The subsystem fails safe, if it carries out the safety function without a demand 
from the process 


Dangerous failure 


» The subsystem fails dangerous, if it cannot carry out the safety function upon 
demand fro. th Pye n 


No effect failure 


» The element that fails is part of the safety function but the failure does not effect 
that safety function 


No part failure 
» The element that fails is not part of the safety function 
Detected failure 
» A failure is detected if built-in diagnostics reveals the failure 
RISKNOWLOGY’ 224 Copyright ©2002 - 2011 RhitrewiogyB. I rigis reserved 
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/o sO 


Revealing Failures 


* Failures can be revealed in three ways 
» Through normal process operation 
> Through periodic proof tests 


* Through built-in diagnostic tests 


ISKNOWLOGY* 
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Through Normal Process Operation 


> Revealing failures through normal process operations means that 


' The process behavior on its own reveals the failure of the subsystem, for 
example 


* The factory shuts down due to a safe failure in the pressure transmitter, or 


* The vessel cannot be emptied due to a dangerous stuck close of the drain 
valve 


+ This way of revealing failures is not useful 
> Not from a safety point of view 


* Not from a process availability point of view 
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Revealing Through Testing 


' In the safety industry a lot of testing takes place 
* Periodic proof tests | 
Built-in diagnostic tests j 
» Any test features two properties of 
» Frequency: How often is it carried out 
» Coverage: The percentage of failures detected 


» A test is only useful if we act upon its results and thus a decision is made for further 
action 
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Revealing Failures By Diagnostics 


* A test is called a Diagnostic Test when that test 


' Is carried out automatically, AND 


' Is carried out frequently, AND P. ELA 


^ 


» Is used to reveal failures that could jeopardize the safety function, AND 
* Results in an automated safe response 
+ Usually a diagnostic test is a "built-in" feature 


+ For example a memory test, CPU test, watchdog, ... 
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About Diagnostic Frequency 


» How frequent should a test be carried out to be called a Diagnostic Test? 
» At least a magnitude (factor 10) faster than the expected demand rate 
* Diagnostic Test Frequency > 10 x Demand Rate 
' For example Seded 


» If the expected demand is once per year, and automatically partial strokes are 
performed, on a 1002 valve configuration, more often than once per month, 
then that partial stroke test is designed as a Diagnostic Test 


' Provided that 1 valve can always bring the process to the safe state 


' The same automated partial stroke test performed once every 2 months would 
be designated as aperiodic Proof Test) 
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Revealing Failures By Proof Tests 


* All other tests are called Proof Tests. They are 
* Not automatic, OR 
> Their frequency is too low 
» A proof test is 
» Initiated by human action 
* Usually not "built-in", additional equipment is necessary to carry out the test 


' For example an operator performs a Partial Stroke Test (PST) on a safety valve 
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Proof Test 


* We can carry out a proof test on 
» One individual device 
' On a combination of devices 


' On the complete safety loop 


...Subsysiem — — 
at 


RISKNOWLOGY’ 


Copyrigh. ©2002 - 2011 Riahnmwlegy. Al nghi reserved, 


Practical Question... 


* Question 


* What are the three practical differences between a Diagnostic and a Periodic 
Proof Test? DS EA 


* Would you rather buy an expensive piece of equipment with a lot of diagnostics or 
rather buy a cheaper piece of equipment and perform proof tests? 
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In Summary 


Attribute Diagnostic Test Proof Test 


Cov e 20 - $100% 20 - $10096 
Frequency High Low 
y Milliseconds, minutes, hours | Days, weeks, months, years 


Runs Automatically? 


| ee 
E cou ae |o | oe | 
Oooow |o oe 


Build in? 
(No external equipment needed?) 


A A eT 
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Detected or Not? That Is the Question 


Revelation Method Device Failure Rate 
ae __— Periodic Proof Test ——» Safe Undetscted - SU 
d allure 
f 7 piaonosticTest  ——> Safe Detected - 50 


D Fail _- Periodic Proof Test Dangerous Undetected DU) 
PUEDE M Diagnostic Test Dangerous De:ected - DD 


Á p 
Devize re «q 
\ a 2 Perinnir Frnef Test Nn Fffert Wadetercted - NEL 


No Effect "ailure &— Diagnostic Test No Effect Datected - NED 


SRiknnwlingy N g 7 Betindic Proof Test Rn Part Hl adeterted - Neu 
No Part Failure ae Dizgnnsti- Test hn Part Detected -NPD 
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Yd. 


SFR coc Ue 


dup oL D. se 
E "IE 


e ol là Vo) 
pooh Lect 


Failure Distribution 
» Failure rates are expressed as failures per hour 


Failure Rate Distribution 
NP NE 
E NE - No Effect 


W DU - Dangerous Undetected 
E DD - Dangerous Detected 

E 5D - Safe Detected 

B SU - Safe Undetected 


W NP - No Part 
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Safe Failure Fraction (SFF) 


» What is it? 


» A measure of the effectiveness of the fail safe design and/or the built-in 
diagnostic tests 


> [tis a design parameter, not an operational parameter 


» Itis calculated as follows: 


A Ios 
As + Ann + Any 


SFF = 
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Pay Attention 


* A Proof Test cannot be used to calculate the SFF 
' A Proof Test is an operational parameter 
* Why does the SFF exist? 


* The PFD reflects how often a subsystem fails in a dangerous undetected mode, 
this is not enough to express safety 


' The SFF reflects the ratio of dangerous undetected failures inherent in a 
subsystem Pu 


» Dangerous undetected failures 
C-SFF = "How many") 
C » PFD = “How often" 
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P! Pe lure 


Vale 


IEC 61508 


Hardware Fault Tolerance Hardware Fault Tolerance 
Safe Failure 


Fraction (SFF) Ea 


<60% 


>99 % 
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Architectural Constraints IEC 61511 


» Programmable electronic (PE) logic solvers 


Minimum hardware fault tolerance 
SFF < 60% SFF 60% to 90% SFF > 90% 


SIL 


aJ o foo 
rsp 3 | 2 — 


E Special requirements apply, see IEC 61508 


RISKNOWLOGY 


Architectural Constraints IEC 61511 


MS 
* All equipment except PE logic solvers 


SIL Minimum hardware fault tolerance 

ID a a 
cM NEN 
ES : 


4 |Special requirements apply, see IEC 61508 
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When to reduce or increase HFT? 


» You may reduce the HFT by 1 if: 
> The hardware device is selected on prior use, AND 
* Only process related parameters can be adjusted, AND 
> Adjustment of process parameters is protected, AND 


» The SIL is less than 4 
* You must increase the HFT by 1 if 


* The dominant failure is not to the safe state, AND 


' Dangerous failures are not detected 
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When IEC 61508 and When IEC 61511? 


Hardware 


User hardware 
User hardware developed and 
based on assessed 
proven in use? according to 
IEC 61508? 


New Hardware 
Development? 


Follow Follow Follow 
IEC 61508-2 IEC 61511 IEC 61511 
Tables 61508 Tables 61511 Tables 61508 
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Architectural Constraints Not Met? 


* Real “show stopper" 
' No need to continue 


» No need to make a probability calculation 


+ What you need to do is 
» Redesign the architecture, or 
» Change the configuration of the architecture 
» Select more suitable devices 


' Select devices with a higher safe failure fraction 
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1001 Safety Instrumented System 


eo pe pa 
DU SU 


— — A 
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1002 Safety Instrumented System 


Ot, Gy a a gl. 


RISKHOWLOGY" 
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1002 Safety Instrumented System Version III 
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2002 Safety Instrumented System 


' Bad safety system design 


> No safety -> Process Availability 


‘se pad ae 
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Exercise # 11 


» Design two SIFs 
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Reliability Analysis 


+ Why a reliability analysis? According to the standards we need to 

» Document the failure behavior of the safety function 

' Determine the SFF per subsystem 

» Determine the target failure measure (PFDavg, PFH) per safety function 
» Another reason to carry out a reliability analysis 


' Process owner / user also want to know the spurious trip level of the safety 
function 
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Reliability Model 


Reliability Modeling 
Techniques 


Reliability 
Block 
Diagram 


Fault Tree 
Analysis 


Simplified Parts Count 
Equations Analysis 
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From Safety Function to Block Diagram 


Measure the temperature and when the temperature exceeds 65 'C open the 
drain and stop the supply pumps to the reactor within 3 seconds. The function 
needs to be carried out on SIL 3 level 
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Examples Simplified Equations 


1001 
PFD jy, = (A, * ^u ) log 


1002 


T 
PFD,,, = 2((1- By Jaa + (0 — B)A,, J tortor + Bof MTIR + Bay, (à 4 mr) 


Don't forget, simplified equations are not that simple, they are derived from Markov 
models! 


IEC 61508 has formulas for 1001, 1002, 1002D, 2002, and 2003 


» They are not normative 
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Fault Tree Analysis - FTA 


Safety Function Falled 


lapul Failed Output Filed 


Source: Vande Capelle, Houtermans 2006 
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Markov Analysis 


+ Markov is the most flexible, the most systematic and the only fully traceable reliability 
technique 


' What is Markov about? 
» A.A. Markov - Russian mathematician (1856 — 1922) 
» Involved in random processes 
' Can be applied to systems that behave randomly in time 


+ Sounds complicated, but... 


RISKNOWLOGY* 
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Markov Modeling 


* With Markov you can make 1 model taking into account: 
» Any component with any failure modes (hardware, software, human error, etc) 
» Diagnostic features 
* Repair and test strategies 
* (Im)perfect proof testing 
* Sequences of failures 
» Common cause and systematic failures 
* All of the above in one model and as function of time 


' Tools are available that support the model creation and that can solve the Markov 
model 
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Practical Example of a 2003 HIPPS 


y 


! N 
aad t. 
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How to Make a Markov Model 


* Markov models consists of 
» Markov states 
' Transitions 
* A working component fails 


* A failed component is repaired 


qe Failed 


Component 


-— Repaired 
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Reliability Data Requirements 


' A reliability model is nice but without data we cannot perform any calculations 
* We need data on device/equipment level: 

» Safe detected failure rate - SD 

Safe undetected failure rate - SU 

» Dangerous detected failure rate - DD 

* Dangerous undetected failure - DU 

» Repair times 


Proof test interval and coverage 
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Example Failure Rate Data 


' If we have the basic reliability data, for example: 
* SD = 3,06432e-6 
» SU = 1,72368e-6 
> DD = 1,22472e-6 
^ DU = 2,8728e-7 
+ Mean time to repair = 8 hours 
* Proof test interval = 6 month 
+ Proof test coverage = 90% 


» Then with the appropriate reliability model we can calculate all important functional 
safety parameters: SFF, PFDavg, PFH, PFS 


> But how do we get the data? 
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How Do We Get the Data? 


For new products we need to perform a reliability study 
* Electronics hardware 
* Mechanical hardware 
+ Electro-mechanical hardware 


» Most critical aspect of a reliability study is to define the safety function on device 
level 


* Measure the temperature with an accuracy of +2% and provide the logic solver 
with the correct value. If an internal safe failure occurs drive the output signal 
according to user settings either below 4 mA or above 20mA 
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Example Temperature Transmitter 


Process 4-20 mA 
Temperature Transmitter 


Stuck -Dangerous, PLC can reveal failure 
For example a dangerous detected failure 
High-High 
Temperature 
trip point in PLC 


Stuck - Safe, PLC does not know -> Spurious trip 


*— — — ——- Stuck - Dangerous, PLC will never know 
Current 
Temperature —|— 95 '¢ 
in vessel 0°C 


*————————— Stuck -Dangerous, PLC can reveal failure 
For example a safe detected failure 
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Safety Function of a Device 


> If we had to buy a temperature sensor, what safety function should it have so that it 
meets our expectations for the top levet end-user safety funetion? 


f Nun 
í * Measure the temperature with an accuracy of +-2% and provide the logic solver 
\ with the correct value. If an internal safe failure occurs drive the output signal to 


below 3.6 mA, if an internal dangerous failure occurs, drive the output signal to 
above 21 mA 


» Lets assume we need to build a SIL 2 temperature transmitter 


RISKNOWLOGY" 
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Carrying Out an FMEDA 


' The developers will perform an FMEDA on the design of a safety device 


Which failure modes to take into account? 
> See table A1 of part 2 
' How to build diagnostics for these failure modes? 


' See tables A2 — A14 part 2 
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Which Failure Modes Apply? 


Requirements for diagnostic coverage or safe failure fraction 
Components 
Low (60%) Medium (90%) High (99%) 


Discrete hardware 
Digital /O Stuck-at DC fault model DC fault model 
drift and oscillation 
Analogue O Stuck-at DC fault model DC fault model 
drift and oscillation drift and oscillation 
Power supply Stuck-at oc fouit m model DG fault modal 


Bus 
General Stuck-at of the addresses Time out Tima out 
Wrong address decoding 

Memory managament Stuck-at of dala or addresses | Wrong address decoding All faults which affect data in the 
unit No or continuous access DC fault model for data and | memory Wrong dala or addresses 
Direct memory access addresses Wrong access time 
Bus-arbitration Stuck-at of arbitration signals | Wrong access time No or continuous or wrong 

No or continuous arbitration _| arbitration 


Source: table A.1 - IEC 61508 part 2 
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Example FMEDA Data Sheet 
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a r 2 -: 
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Hee mesi CNN EZ scu 
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L| — [ [wecose |dovice unpewered | 
[ CB7[Capacitor [Futer [Stuck open | 


—— EE 36 
(capador [Fier [Stuck open no see a eT, M 
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Measures to Control Failures 


The outcome of the FMEDA is meaningless if the measures to control failures have 
not been applied 


Measures to control failures are mainly implemented to deal with random failures 
» They can also support systematic failures. 
» See table A15-A17 of part 2 IEC 61508 


* Measures to avoid failures are mainly implemented to deal with systematic failures 


* See tables B1-B5 of part IEC 61508 


These measures help during hardware design and improve the device or product 
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Example Measures to Control Failures 


— Techniques and measures to control systematic by hardware design- 
failures 


Technique / Measure SIL 2 SIL 3 SIL 4 
L| Program sequence monitoring 
Failure detection by on-line monitoring 


SIL 2 SIE 3 SIL 4 
protection 


Failure detection by on-line monitoring 
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Exercise # 12 


» Once the end-user has defined the safety function, devices and components that can 
perform this function need to be selected 


> Can you define the safety function of 


* A digital logic solver $e 8 Inv. 


* A power supply feeding the logic solver eh diniy x of Ince by TA 
* A safety relay 


* An emergency shutdown valve 
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Exercise # 13 


* An accident animation is shown 
» Document what goes wrong 
> And how it could have been prevented 


* Lets take a look at what happened 
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Are You Ready for the PFD Calculation? 


» At this point 
* We have the safety function 
» We created a hardware architecture 
We created a reliability model 
» Markov, FTA, simplified equations, RBDs 
We performed FMEAs on each safety device 
We collected the data 


Now we can perform the PFD calculation 
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-Í Output — Fail. Dangerous | 


Fall Dangerous - No Proof Test 
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[(4] Risknowlogy | 


10,000 
atime [h] 


— Fall Dangerous = AVG(Fall Dangerous: 


17,500 
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Í Output. . Fail; Dangerous } 


Fail Dangerous - 10096 Proof Test - 6 Months 


Ll ig) Risknowlogy 


5,000 2,500 10.000 12,500 17,500 
time [h] 


Fall Dangerous 4^ AVG(Fail Dangerous) 


0.00001 


Í Output ~ Fail Dangerous — 


Fail Dangerous - 50% Proof Test - 6 Months 


(c) Risknowlogy 


7.500 10,000 4 17,500 20,00 
time [h] 


angerous 2% AVC(Fall 
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Example 2003 Safety Function 


10000 20000 ee wooo — 200000 
Tyo Lh] 


x É 7 fe 2" s - 7 | 
jj " | / ! / L / f 
duae re E E su La Le VEA, N BE ET 
ve" repon 
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SIL/ STL 1 


SIL/STL2 


SIL/STL3 


SIL/STL4 
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Reliability Calculation Tools 


» Many tools are on the market that support reliability calculations 
» Without a formal degree in reliability engineering you can make calculations 
* Most tools support only simplified PFDavg calculations 
» Expert tools exist for more advanced calculations 
» PTC - Relex 
' Isograph - Reliabity Workbench 
' Item software - Item Toolkit 


* Risknowlogy - Markov 
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Summary Module 5 


* What did we learn? 


» Important design concepts like HFT, SFF, PFD, tow, high demand, energize, de- 
energize to trip, etc 


» Most important reliability techniques 
» Reliability modeling 


» Reliability calculations 
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Software Design 
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Software Design 


' In this module 
' Software lifecycle 
> Hardware software relationship 
> A typical software problem 
» Safe software 
» Three types of software 
* Three types of development languages 


* Software tools 


RISKNOWLOGY" 


Where Are We? 


Hazard and riek sssessment 


Allocation of extety functions 


Design and Engh 
Salely Instrumenl 
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Software Lifecycle - IEC 61508 


1. Software safety 
requirements apecitication 


Functional Safety Management 
Documentation 


Functional Safety Assessment 
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Scope of 
IEC 61508-2 
Hardware 


p 
IEC 61508-3 
Software 
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An Example 


* Client orders a piece of software 


peV/T = constant 


RISKNOWLOGY" 


An Example 


' In the specification is written: 


Specification 


Req. 1.2.83: 


Calculate pressure 
with following formula 


p=ceV/T 


y 
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An Example 


' The programmer in the mean time... 
+ Programs formula according to requirement: 1.2.83 
> Tests requirement: 1.2.83 


' Delivers a finished and test program according to specification 
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An Example 


» What can go wrong? 
' Is the specification correct? 
» No, actually not: p* V/ T-7const # p-c*V/T 
Was the program correct? 
» Yes, the test showed it was correct 
Was the test correct? 
* Yes, the result look good 
Was the test verified? 
» Yes, the creator of the test verified it 
Did we actually do the test? 


» Yes, | signed the paper, didn't I! 
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Safe Software Is Needed 


* What we need to achieve is safe software... 
» Software is safe if 


> The safety system can execute the safety function even under faulty 
conditions 


+ It can handle software bugs as well as hardware failures 
» [t has been developed according to functional safety standards 


» Features to achieve safe software are mainly built on embedded software level 
IEC 61508 world 


+ On application level we mainly deal with relative simple software logic 
IEC 61511 world 
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Embedded, Application and Utility Software 


Utility Software 


Fixed Programming Language = FPL 
Limited Variability Language = LVL 
Full Variability Language = FVL 


Programmable Electronic Safety System 
ye eT ay 


Application unction2 | |__ | Embedded 
Software nui I 7 m : ] Software 


Cove 2003 » 7081 Haven Night rers 
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Three Types of Development Software 


» IEC 61508 deals with 
* Full variability languages (FVL) 
^ C, C++, Assembler, Etc. 
» Good engineering practices 


* Measures to avoid failures - Tables in part 3 
» IEC 61511 deals with 


» Limited variability languages (LVL) 
» Function blocks, ladder logic, etc. 
» Fixed programming languages (FPL) 


» A sensor with only an up and down button to set a limit 
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IEC 61511 Software 


» IEC 61511 
> Does not differentiate between SIL 1, 2 or 3 software 
> Lists requirements which are suitable for up to SIL 3 


> Does not allow SIL 4 software but refers in that case back to IEC 61508 


> Software can be developed according to the V-model 
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Software Management via V-model 


Salety requirements specification nor SIS Validation Tasting Validated SIS / 
SiS/ SIF ‘Sita Acceptance Test E Enduser 


Architecture design ET ert Intagration Testing 
Hardware AORA SENT Factory Acceplancs Test 
Subsysler Aschlleclures oop testing, Inpul combination 
testing, Bus overload lesting 


Architocture Design 
Application Software 
SIF Allocation, Alarm Management, etc. 


System Integrator 


Application Software Development 
SIF Logic 
Voting, Alarms, Diagnastics, Sale States, clc. Implomoniod |... 
in (custom) Funcllon Blocks, Ladder Logi, Structured Text, 
ele 
(Coding ie Unites variability and fixed programming kavga 


Application Software Taming 
"| Modute Testing, 
Black Box Testing. 


Architecture Dasign Salety-Relatod Logle 

Embedded Software - awed __ Solver Testing 
Operaling System, Diagnostics, Inlegration tesis, System 
Libraries, Support Functions, etc 


Module Development “ 
Embedded Software 9 Safety-Related Logic Solver 

For ali phases: testing, Coding Standards, 

«Fundlonal safety managemon! ele 

*Documeniation - ` 

Verifica 

"Funcional Safety Assessment 


jakno» Code development 
iii Embedded Sofware 
Coding in full variabliy language 
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Application Software Development 


Client Meetings 
Cause & Effect 
Diagrams 


System Integrator 
Specification 


Logic Diagrams 


End-User 1 Safety Manual 
Specification General Purpose 
Safety PLC 


And where is the Software Safety Requirements Specification? 
If you do not have one, the software engineer will use his own interpretation 
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Application Software 


» Application software can include 
» Logic in terms of voting blocks 
' Limits in terms of settings 
> Timing elements 
Bypass logic 
Diagnostics, alarms and associated safe state actions 
+ To maintain architectural constraints as defined in the SRS 
» Remember 
' Software should be based on a software safety requirements specification 
* Software not only influences safety availability but also process availability 
» Software means dealing with systematic failures 


RISKNOWLOGY’ 
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Application Software Testing 


» Bad example 
» Print out the logic 
» Test the logic by “line by line” review 
» What did we proof now? That the printer did not make a mistake? 
» Better example 
* Compare programmed logic to the software requirements specification 
» Test each individual loop (FAT/SAT) 


* Test all possible input combinations and monitor all outputs with an event logging 
tool (FAT/SAT) 


» Perform tests like communication overload, short circuits on signal lines, etc and 
verify correct working of diagnostics, alarms, voting and safe state actions 
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Measures to Avoid & Control Failures 


* The measures 
» Are grouped according to lifecycle phases 
» The effectiveness of the measures is determined by SIL 
* Only failures that have occurred we can try to control 


' See tables A1-A10 and B1-B9 in part 3 IEC 61508 
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Measures to Avoid Failures 


Software design and development - detailed 
design 


Technique / Measure SIL 1 SIL2 . SIL3  SIL4 
1a |Structured methods 


1b |Semi-formal methods 


1c jEormal design and refinement methods 
(Computer-aided design tools 

Defensive programming 

Modular approach 

Design and coding standards 

"Structured programming 

Use of trusted/verified software elements (if 
Forward traceability between the software safety 
requirements specification and software design 
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Measures to Control Failures 


» Software is written to deal with random failures 
* Measure to control failures include for example: 
» Hardware architecture 
^ Self test measures for system and sub-systems 
' CPU 
» Bus and signal 
+ RAM, EEPROM, ROM, flash 
System watchdog with independent time base 
Program flow monitoring 
Safety protocols for data transmission paths 


Redundant and/or inverse data storage 
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Summary Module 6 


» What did we learn... 


> Software safety is more about the process of software development than the 
software itself 


* Systematic approach via V-model 


* Measure to control and avoid failures need to be applied 
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Certification, Proven In Use, and Data 
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Certification, Proven In Use, and Data 


' In this module 
* Dilemma for end users and system integrators 
* What is certification 
» What to look for in a certificate 
* What is proven in use 
> How to prove "proven in use" 


' Reliability data sources 
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Dilemma for End-Users and SI 


» Often heard comment: 


' "| cannot analyze in detail each hardware and software aspect of a device. | am a 
process control engineer. Not a circuit diagram designer or a programmer of 
operating systems. How do | know these devices are compliant?" 


» "Our plant has been running fine for 10 years. Why should | replace all my 
working equipment with new safety equipment?" 
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IEC 61508 Compliant Devices 


» A device is fully compliant with IEC 61508 when the following requirements have 
been addressed 


MFunctional safety management 

M Hardware requirements 

M Hardware reliability analysis 

Software requirements 

M Basic electrical safety, EMC, environmental 
M User documentation 


* How many products do you know that are fully compliant? 
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How Do You Know Everything Is Compliant? 


> Help is on the way! as an user 
» You do not need to analyze products in detail 
» You can make use of 
> Certified devices and/or 
' Proven in use devices and/or 
> Existing reliability data sources 


» You only need to understand how to apply the above options 
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Certification 


» What is certification? 
* Somebody who certifies attests that a statement made is true 


* For example to attest that the IEC 61508 standard has been met for the smart 
transmitter 


' Certification is NOT required by IEC 61511 
+ The word certification does not exist in IEC 61511 
» IEC 61511 only knows verification, validation, assessment, and audits 
* How it helps? 
' If a product, system, organization or person is certified 
* You have less analyses and verification to do 
* You have less of a headache! 


» Because somebody else did the work for you 
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What to Look for in a Certificate... 


* A good certificate should state 

* The manufacturer and the certified product(s) 

» The main standards applied 

' The level of safety achieved 

> The corresponding report to the certificate and the safety manual 
» The report to the certificate should 

» Explains how and what has been certified 

» Should lists restrictions on use, if any 


* The safety manual should explain how to install, commission, operate, maintain, and 
repair the safety device 


* Do not buy a product unless you first received the 
certificate + report + safety manual 
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Example Certificate Product 


= 
* 
e 
s 
z 


9 


CERTIFICATE 


Ma. Zt0 08 10 22007 009. 


CENTIFICAT 


CERTIFICATE 


Me 20 09 8 seat om 
Holder of Certificate: ABB AB, Open Contro! Systeme 
SEPAN 


Modes of Cartficste: WYOAC SYSTEM Gott 


= Salety-, control- and regulator equipment 
Product: Safety Related Programmable Electronic 2003 Safety Control Block 
System 
EHS 2v3-10-PSH-XX-JOUEX 1-XX-NA-XXXK-XKX-XKA-XX 
Tha lisled product was tested on a voluntary basis and complies with the relating standards or EHS 2v3-1 0-PSA-JX-XX/EX 1-XX-NA-JODUC-XXX J0OCXXE 
directives. Tha carlification mark shown above can be affixed on the produc! The cextification EHS 2v3-10-P80-XX-OUEX 1-XX-NA JOOOCXOLOOCXX. 
mark musi noi be altered in any way. See also noles overiea! For nomenclature sae attachmant 


Model(s): 800xA Safety Solenod vonage 


P. t Operaling pressure range. 
arameters: Logic solver: AC 800M High Integnty (HI) comprising Max static operating pressure. J j 

PMG65 and SM610 - SIL 1-2, CAT 3, PL e eri Si ampuratum nog) 3008 (TO e, 

PM&S and SMA11 - SIL 1-3, CAT 4, PL e 
VO modules AIBBOA. DIBO, DO880 - SIL 1-3, CAT 4, PL e. (EC 61508 2000 Part 1 1o 7 iSi J. 
Low- and Demand Model 

Further approvals can be found in the report referencad below cein don 
The report ielorenced below and D» uer documentation i Du culteritty vald nson are man- 
dacory part of this certifcate The product compos wih (ho foloning Vated safety requiremonis 
only (f the spocficabons documented in (ro currently vad revisions of thin report sra met 


Test 'uport no.: A064110 


mm 
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Certificate, Report + Safety Manual 


| a 


sitrans__ 


Example Loop Certification 


once RISKNOWLOGY 


-- 
ees 


TRE OD 
LS 
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System 
Manufacturer 
Intended application 


Basis of testing 
Report 


Assessment 

Functional Safety Data 
Modo 

Principle. 

PFDavg (1Y, MTTR = 7300) 
Safety Integrity Level 


TROXNETCOM-As-i 
TROX 


The above listed system is used in industry as a smoke. 


detection and ventilation system. 
1EC 61508:1998. 


The lest report 101.102.112.1 of 2010.10.30 is an integral part 


of this dala sheel 
Full Assessment 


Low demand 
De- Energize to trip 
237903 

SiL2 
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Example Organization 


A TUVRheinland® 


Tna company 


HMA Paul Hildebrandt GmbH + Co KG 
Projokdmanagament und Enginoarg 
Midustrfo-Aulocals erung 

ual Paver men Statio 20 
68782 Bru 


has poren suceewsivty willun tha scope of a dul fad & Furebona Baluty Manogemera Sysiam [FSN- 
Syrum) han boon miróduced wnd app! id ucooró nay. 


Object of Cie esai s the proot of anpluestaton of the ^equrvments Oef^og ^ Ile dase standards. 
routing lo tee Mansgemen! ef Functional Safety. ne Documentation, tho. Functonal Safety 
Asseaement ay wel as l'w company specific Satety Lifecycle Phases accortng lo be scope of 
Dohovor 


IEC 51508; EEPE- safety relatod Byetom Integration 
IEC 81541: SIS - Integration 


Object of the Sopa cf Corigcsrion is Ca ripgraíor. of E/E/PE-&afsry related Systems, Sensors gnd 
Actustors rospectrely SES and conprar Ter Configuration. application programming. assembly. nod 
inel na ell ma valey loop calculations for pestis indutirat safety szolcitiot 


‘The audited FSMSytton and ts «wolved company copempts 9,1) tha organ-zasongi momen Ky iro eto 
Suse of Centtomion. 


Vow ve Ape 2 


THe Ramla ivin cece Setii 


seria a / Gat 


——————— 
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Example Certification People 


@ 


m 
= 


CERTIFICATE CERTIFICATE 


John Doe Dr. Michet Houtermana 


Has successfully completed Ihe Functional Safety 


Has successfully completed (ha Functional Safety RD PES ae Teque nenia for 


Certification Program requirements for 


Functional Safety Professional Functoriel Safely Expert 
In accordance with 
IEC 61508:1998 
IEC 81511:2003 


In accordance with 
IEC 61508:2010 


ID ruber 
amoa o Feu 
IP10050101 Sot 
Safety Industry 

Sales) Retates Systema 


Ome erat 
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Who Can Certify? 


' In principle any company and/or person in the world can certify 


' The question is not "who can certify?" 
but "who do you trust?" 


* Much more important then who can certify is to pay attention to 
> WHAT has been certified, and 
» HOW has it been certified 


RISMNOWLOGY* 
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Questions 


» What is the difference between a device that is certified and a device that is not 
certified? 


' Is certification always complete? 


' Can proven in use be certified? 
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Proven In Use 


' "Proven in use" is defined by IEC 61511 as 


^ When a documented assessment has shown that there is appropriate evidence, 
based on the previous use of the component, that the component is suitable for 
use in a safety instrumented system 


The evidence is dependent on the complexity of the device and the target 
failure measures 


» Why is it so tempting to apply? 


* Because if a subsystem is regarded as proven in use, then, information regarding 
the measures and techniques for the prevention and control of systematic faults is 
not required (i.e., Tables in IEC 61508 part 2 and 3) 


» Failure rate data is stil! required! 
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What Actually Needs to Be Proven? 


» So what is it that we try to prove? 


* The most important evidence is that the actual safety function of the safety device 
or subsystem executes as designed 


» If we cannot proof, with documented evidence, that the safety function works, we 
cannot claim proven in use 


* For example 


» Consider the safety function of an emergency shutdown valve, i.e., close upon 
demand 


' If an ESD valve was installed for 5 years but had never been closed we 
cannot know whether it works when needed. 


» We cannot claim proven in use evidence as it was never used 


* How can we collect evidence? 


Coppi © 2602-2011 Rips. Al hts reserved 


158 


How to Prove “Proven in Use” 


* Evidence for proven in use must be documented 
* Evidence needed: 
» The element / subsystem has restricted functionality 
» APLC can never be claimed as proven in use 
' A transmitter can, a relay can, a valve can.... 
* Conditions of use are the same or sufficiently close 
' If not the same an impact analysis of the differences must be carried out 


* If functions are present that are not part of proven in use then it needs to be 
proven that they do not interfere with the proven in use functions 


» Any future modifications to a proven in use element / subsystem needs to follow 
the modification procedures 
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How to Prove "Proven in Use" 


» Evidence needed 
» Evidence is based on operational experience 


> The volume of the considered operating experience has a minimum of 70 96 
confidence interval 


* Statistical evidence that the claimed dangerous failure rate is sufficiently low 
> Very difficult to meet as failure track records are usually not available 


* Performance of the components or subsystems in similar operating profiles and 
physical environments 
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Evidence 


* What is not enough... 


' "Here is a list of all our customers since 1979." 
One of the largest valve 
manufactures in the world 


> The above evidence lacks everything: 
' No number of products 
» No number of operating hours 
» No feedback from customers 


» No evidence was submitted 
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Do You Care About Safe Failures? 


* Think about this when it comes to "proven in use" 


* Many manufacturers/suppliers want you to believe that their product is proven in 
use 


» Saves them a lot of analysis time 
> No development cost for measures to avoid and control failures 
Time to market 


' If you do not get the appropriate answer from a supplier concerning dangerous 
failures then you will also not get answers concerning safe failures...spurious 


trips...$$$ 
* In most cases only an user can claim "proven in use" on a product 


^ Exceptions always exist 
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Questions 


» What is the difference between a device that is proven in use and a device that is not 
proven in use (certified or not)? 


> What is better, a certified device or a proven in use device? 


' If you had to install a safety device, what would you prefer to have? 
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Copyright © 2002 - 2011 Riaknowiony®. AS rights reserva, 


Sources of Reliability Data 


+ Many sources exist nowadays 
» End user data is usually the best 


» Prediction data is usually needed 


Abbreviation Description 


Offshore Reliability Data 

MechRel Handbook of Reliability Prediction for Mechanical Equipment 

Reliability Data of Components in Nordic Nuclear Power Plants 

SINTEF Reliability Data for Control and ims - PDS Data Handbook 
Sensors, detectors, valves & E logic 

Safety Equipment Reliability Handbook 

CCPS Guidelines for Process Equipment Reliability Data 

I. Process Equipment Rellability Data (AIChE) 
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Exercise # 14 


» Case study: Make your case 


As a sales person you are a team member that is bidding 
on a big project where the client wants to buy all the 
equipment to build several safety loops (sensors, logic 
solvers, valve positioners, valves). You are responsible for 
the sales of the pressure transmitter series of your 
company. After doing some research you found out that 
several competitors are also bidding on the same project. 
The pressure sensor product you are trying to sell is 
certified by a third party... 
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Summary Module 7 


^ We learned 
* What is a certificate and who can certify 
* What is proven in use 
* How to prove proven in use 


» Sources of reliability data 
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Using the Safety Instrumented System 
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Using the Safety Instrumented System 


> In this module 
' Installation and commission 
> Validation 
* Operation, maintenance and repair 


* Modifications and retrofit 
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Where Are We? 


Hazard and risk aseesament 
Allocation ot safety functions 
1o protection layers 


* 
Saloty Requirements 
Specification for the Safety 
Instrumented System 


Benign and Development of 
Design and Engineering of 
Safety Instrumented Systema eom se ae 


Installation, Commis staring 
ana Validation 


Operation and Maintanance 


Moditcation 
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Installation and Commissioning 


* Installation and commissioning must be 
* Carried out according to plan 
» What to document: 
* Installation and commissioning activities 


» Failure resolution, if any 
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Installation and Commissioning 


> Task for suppliers 


' Give the end-user sufficient documentation to install and commission the safety 
system correctly 


> Tasks for end-users 
» Use the plan 


* Follow the manual 
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Safety Validation 


* Do we have the right system? 
' Validate that you got what you specified 
’ Basis is the overall safety requirements specification 
* Use the validation plan 


* Perform FAT/SAT 
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Safety Validation 


» What needs to be documented 
» Validation activities 
» System and safety functions validated 
* Tools required during validation 
» Results of the validation 
Any discrepancies 


» Why or why not to continue 
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Operation, Maintenance and Repair 


* In general 
» Implement the plan 
* Follow procedures for operation, maintenance and repair 
' Hardware 


» Software 
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What to Pay Attention to? 


+ We need to have procedures for 
» Implementation 
* Maintenance schedules 
* Repair activities 
* Modifications 


> Periodic safety audits (functional safety assessment) 
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Documentation 


* You need to document the following 
* Results of functional safety audits 
* Time and cause of demands, the performance of the safety system 
» Any failure causes and effects for equipment 
+ Discrepancies found during maintenance 


' Any modification made (plant, control system, safety instrumented system) 
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Modifications and Retrofit 


» Objective is always no matter what we change we need to 
» Guarantee the safe state 
* Guarantee functional safety 

» Follow modification procedure 


* As defined during management of functional safety 
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Override Procedures 


* Maintenance override is no problem as long as you guarantee the safety function 
+ Things to think about 


» Is there a procedure? 

> Are people informed? 

» Is the override time limited? 

* Do you lock out / tag out the area? 


* See override procedure 
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Summary module 8 


» What did we learn... 
» Everything needs to be done according to the plan 
* Validation is the only chance to validate whether you got the right design 


* You cannot just modify things 
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Conclusions 
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Conclusions 


» We have come to the end 
» Any final questions? 
* Tomorrow 
' Please bring the eligibility forms 
* Make sure they are checked and signed 
' Please fill in our evaluation sheet 


* We want to improve our Functional Safety review program 
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Good Luck Tomorrow 


» We can automate a lot ... but not everything 
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"S 
RISKNOWLOGY’ 


Functional Safety Certification Course 
Functional Safety for 
Safety Instrumented System Professionals 


www.risknowlogy.com - riskfree@risknowlogy.com 
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